[ http://issues.apache.org/jira/browse/GERONIMO-1540?page=comments#action_12364003 ]
Dave Colasurdo commented on GERONIMO-1540: ------------------------------------------ The Tomcat team has fixed this in their open builds (but *not* in Tomcat 5.5.15). I've extracted the latest Tomcat source and built it to get the latest binary image of the jsp-examples. Tomcat info: Path: . URL: http://svn.apache.org/repos/asf/tomcat/current/tc5.5.x Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 372275 Node Kind: directory Schedule: normal Last Changed Author: remm Last Changed Rev: 344145 Last Changed Date: 2005-11-14 10:19:03 -0500 (Mon, 14 Nov 2005) Properties Last Updated: 2006-01-25 12:21:02 -0500 (Wed, 25 Jan 2006) Also, merged our custom geronimo changes to the war file and change the geronimo build to pickup the new warfile. I've provided a geronimo patch for the 1.0 branch and anupdated war file. The attached warfile needs to get published to http://svn.apache.org/repository/geronimo-samples/wars/ prior to committing the patch. > Fix security vulnerability in jsp-examples > ------------------------------------------ > > Key: GERONIMO-1540 > URL: http://issues.apache.org/jira/browse/GERONIMO-1540 > Project: Geronimo > Type: Bug > Components: sample apps > Versions: 1.0.1, 1.1 > Reporter: Dave Colasurdo > > Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat > jsp-examples that are included in Geronimo. It fails on both Jetty and > Tomcat. > This can be reproduced with the following urls: > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script> > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script> > This JIRA does not address a related problem in the admin console. That > problem is addressed in GERONIMO-1474. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
