I've verified the problem on both Tomcat and Jetty in Geronimo 1.0 ...
so I think that means it has not yet been addressed in tomcat 5.5.9.
Joe
Jeff Genender wrote:
Prasad Kashyap wrote:
Is log record the only place where a user input param is written back to the
browser ? I'd guess not.
Since Tomcat claims to fix this in v5.5.7, we may have to implement the
tactical solution in our apps till we move to Tomcat 5.5.7.
We currently use 5.5.9, so I would assume this has been tended too. Has
anybody examined this to be the case (or not)?
What about Jetty ?
Cheers
Prasad
On 1/17/06, Joe Bohn <[EMAIL PROTECTED]> wrote:
Yes, this sounds like the best way to go.
Regarding the specific problem with the web console displaying the web
access log I'd like to get some consensus. Is this something that the
containers should modify when storing the URL as part of a message in
the appropriate web log? (I have confirmed this is a problem with both
Tomcat and Jetty)
Or, should we address this within the web access log viewer and/or
management objects to modify the content of the log records when they
are being displayed.
My preference would be to make the modification at the time the log
record is created.
Joe
Prasad Kashyap wrote:
The simplest solution to this problem would be to process the strings
before they are written out by the jsp by replacing any occurrences of
<script> with <script> This will ensure that the string will be
rendered as is on the browser and won't be executed.
Of course, this becomes a tactical solution which every one of our app,
especially the Console, would have to implement. The one place fix for
it should be in someplace in the container.
Cheers
Prasad.
On 1/17/06, *Dave Colasurdo* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
I've confirmed that the cross-site scripting problem also occurs in
jsp-examples in pure Tomcat 5.5.12 without Geronimo.
-Dave-
Jacek Laskowski wrote:
> 2006/1/17, oliver karow < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>:
>
> Hi Oliver,
>
> I think it belongs to dev now.
>
>
>>>>The first one is a classical cross-site scripting in the
>>>>jsp-examples:
>>>>
>>>>http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
<http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
<script>alert('Gotcha')</script>
>>>
>>>Is it us or is it a general and *well-known* Tomcat
vulnerability we
>>>could not do much to prevent it other than ask Tomcat PMC to get
rid
>>>of it?
>>
>>I did not check this, because i installed geronimo/jetty as a
complete
>>package. I assumed that the sample script belongs to the
geronimo.
>
>
> AFAIK, Geronimo doesn't change much in the JSP processing (it
does a
> little wrt security and such, but JSP compilation and execution
is
> handed over to Jetty/Tomcat). So, I'd call it a bug in the
example
> itself or in the way Jetty/Tomcat handles it. I do think it has
> nothing to do with Geronimo itself.
>
> Could you verify that the bug won't happen in a clear
Jetty/Tomcat
> installation? I'd bet it will (no hands of mine offered
intentionally
> ;)).
>
> --
> Jacek Laskowski
> http://www.laskowski.org.pl
>
>
--
Joe Bohn
joe.bohn at earthlink.net
"He is no fool who gives what he cannot keep, to gain what he cannot
lose." -- Jim Elliot
--
Joe Bohn
joe.bohn at earthlink.net
"He is no fool who gives what he cannot keep, to gain what he cannot
lose." -- Jim Elliot
