Prasad Kashyap wrote: > Is log record the only place where a user input param is written back to the > browser ? I'd guess not. > > Since Tomcat claims to fix this in v5.5.7, we may have to implement the > tactical solution in our apps till we move to Tomcat 5.5.7.
We currently use 5.5.9, so I would assume this has been tended too. Has anybody examined this to be the case (or not)? > > What about Jetty ? > > Cheers > Prasad > > On 1/17/06, Joe Bohn <[EMAIL PROTECTED]> wrote: >> Yes, this sounds like the best way to go. >> >> Regarding the specific problem with the web console displaying the web >> access log I'd like to get some consensus. Is this something that the >> containers should modify when storing the URL as part of a message in >> the appropriate web log? (I have confirmed this is a problem with both >> Tomcat and Jetty) >> >> Or, should we address this within the web access log viewer and/or >> management objects to modify the content of the log records when they >> are being displayed. >> >> My preference would be to make the modification at the time the log >> record is created. >> >> Joe >> >> Prasad Kashyap wrote: >>> The simplest solution to this problem would be to process the strings >>> before they are written out by the jsp by replacing any occurrences of >>> <script> with <script> This will ensure that the string will be >>> rendered as is on the browser and won't be executed. >>> >>> Of course, this becomes a tactical solution which every one of our app, >>> especially the Console, would have to implement. The one place fix for >>> it should be in someplace in the container. >>> >>> Cheers >>> Prasad. >>> >>> On 1/17/06, *Dave Colasurdo* <[EMAIL PROTECTED] >>> <mailto:[EMAIL PROTECTED]>> wrote: >>> >>> I've confirmed that the cross-site scripting problem also occurs in >>> jsp-examples in pure Tomcat 5.5.12 without Geronimo. >>> >>> -Dave- >>> >>> Jacek Laskowski wrote: >>> > 2006/1/17, oliver karow < [EMAIL PROTECTED] >>> <mailto:[EMAIL PROTECTED]>>: >>> > >>> > Hi Oliver, >>> > >>> > I think it belongs to dev now. >>> > >>> > >>> >>>>The first one is a classical cross-site scripting in the >>> >>>>jsp-examples: >>> >>>> >>> >>>>http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/ >>> <http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/ >>>> <script>alert('Gotcha')</script> >>> >>> >>> >>>Is it us or is it a general and *well-known* Tomcat >> vulnerability we >>> >>>could not do much to prevent it other than ask Tomcat PMC to get >> rid >>> >>>of it? >>> >> >>> >>I did not check this, because i installed geronimo/jetty as a >>> complete >>> >>package. I assumed that the sample script belongs to the >> geronimo. >>> > >>> > >>> > AFAIK, Geronimo doesn't change much in the JSP processing (it >> does a >>> > little wrt security and such, but JSP compilation and execution >> is >>> > handed over to Jetty/Tomcat). So, I'd call it a bug in the >> example >>> > itself or in the way Jetty/Tomcat handles it. I do think it has >>> > nothing to do with Geronimo itself. >>> > >>> > Could you verify that the bug won't happen in a clear >> Jetty/Tomcat >>> > installation? I'd bet it will (no hands of mine offered >> intentionally >>> > ;)). >>> > >>> > -- >>> > Jacek Laskowski >>> > http://www.laskowski.org.pl >>> > >>> > >>> >>> >> -- >> Joe Bohn >> joe.bohn at earthlink.net >> >> "He is no fool who gives what he cannot keep, to gain what he cannot >> lose." -- Jim Elliot >> >
