Yes, this sounds like the best way to go.
Regarding the specific problem with the web console displaying the web
access log I'd like to get some consensus. Is this something that the
containers should modify when storing the URL as part of a message in
the appropriate web log? (I have confirmed this is a problem with both
Tomcat and Jetty)
Or, should we address this within the web access log viewer and/or
management objects to modify the content of the log records when they
are being displayed.
My preference would be to make the modification at the time the log
record is created.
Joe
Prasad Kashyap wrote:
The simplest solution to this problem would be to process the strings
before they are written out by the jsp by replacing any occurrences of
<script> with <script> This will ensure that the string will be
rendered as is on the browser and won't be executed.
Of course, this becomes a tactical solution which every one of our app,
especially the Console, would have to implement. The one place fix for
it should be in someplace in the container.
Cheers
Prasad.
On 1/17/06, *Dave Colasurdo* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
I've confirmed that the cross-site scripting problem also occurs in
jsp-examples in pure Tomcat 5.5.12 without Geronimo.
-Dave-
Jacek Laskowski wrote:
> 2006/1/17, oliver karow < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>:
>
> Hi Oliver,
>
> I think it belongs to dev now.
>
>
>>>>The first one is a classical cross-site scripting in the
>>>>jsp-examples:
>>>>
>>>>http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
<http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/>><script>alert('Gotcha')</script>
>>>
>>>Is it us or is it a general and *well-known* Tomcat vulnerability we
>>>could not do much to prevent it other than ask Tomcat PMC to get rid
>>>of it?
>>
>>I did not check this, because i installed geronimo/jetty as a
complete
>>package. I assumed that the sample script belongs to the geronimo.
>
>
> AFAIK, Geronimo doesn't change much in the JSP processing (it does a
> little wrt security and such, but JSP compilation and execution is
> handed over to Jetty/Tomcat). So, I'd call it a bug in the example
> itself or in the way Jetty/Tomcat handles it. I do think it has
> nothing to do with Geronimo itself.
>
> Could you verify that the bug won't happen in a clear Jetty/Tomcat
> installation? I'd bet it will (no hands of mine offered intentionally
> ;)).
>
> --
> Jacek Laskowski
> http://www.laskowski.org.pl
>
>
--
Joe Bohn
joe.bohn at earthlink.net
"He is no fool who gives what he cannot keep, to gain what he cannot
lose." -- Jim Elliot
