Best wishes,
Paul
On 1/18/06, Jeff Genender <[EMAIL PROTECTED]
> wrote:
Where I am going at with this...is this a vulnerability caused by coding
the apps, or the containers themselves?
i.e., Will I have this problem with a perl app running on httpd? or
ASP/C# on IIS? Is this type of vulnerability a facet of responsibility
that lies on the container, or the developer?
I am just trying to assess this as a true vulnerability from a web
container perspective. I am assuming, that yes, the container could
change the < and > to lt&; and gt&;. But, I am wondering where we draw
the line and wonder if that is too heavy handed.
If the other web servers provide protection from this, then I guess its
safe to assume we should follow the pack. OTOH, I surely would not want
to take away too much responsibility of the developer to ensure they are
properly securing their own apps, while maintaining a bit of flexibility
for them.
Jeff
Kevan Miller wrote:
>
> On Jan 18, 2006, at 11:24 AM, Jeff Genender wrote:
>
>> So assuming this appears to be somewhat "examples" related, is this
>> truly a container problem, or just the jsp examples implementation?
>
> IANASE, but it seems that any vulnerabilities must be fixed in the apps
> themselves -- certainly seems like the only course of action for G
> 1.0.1. I'm currently aware of problems with samples and the admin console.
>
> Apps must insure they return appropriate content to clients. I don't see
> how a container could provide general XSS protection... I'm sure there
> are people who know much more than I on the topic...
>
> --kevan
