DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8410>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8410 Parameters passed with jsp:param not encoded and vulnerable to overwriting Summary: Parameters passed with jsp:param not encoded and vulnerable to overwriting Product: Tomcat 4 Version: 4.0.2 Final Platform: PC OS/Version: Windows XP Status: NEW Severity: Normal Priority: Other Component: Jasper AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] When passing a string value to a jsp using the jsp:forward and jsp:param methods, parameters can be overwritten or added. Also strings containing certain characters are not processed properly. Example ------- thispage.jsp: String message = "somevalue&anotherkey=anothervalue"; <jsp:forward page="somepage.jsp"> <jsp:param name="somekey" value="<%=message%>" /> </jsp:forward> The resulting java code in the work-folder is: String message = "somevalue&anotherkey=anothervalue"; if (true) { out.clear(); String _jspx_qfStr = ""; _jspx_qfStr = _jspx_qfStr + "?somekey=" +message; pageContext.forward("somepage.jsp" + _jspx_qfStr); return; } As we can see, the variable message is simply appended to the GET-string without any kind of parsing, encoding or masking. In somepage.jsp we can now access the parameter "anotherkey" with its value "anothervalue". This also leads to the problem that any string containing the characters "=" or "&" is not passed properly. A string containing the "=" character (not following a "&" character) results in the passed string evaluating to null. Example: somevalue=anothervalue This nulls the value of somekey. If the string contains the "&" character (i.e. somevalue&anothervalue), the value of somekey is cut off at the "&". Even escaping the "&" character with & doesn't work. Here comes the security risk. Assuming we know the names of the parameters and the order they are passed in, it is possible to overwrite following parameters. Example: bug.jsp <%@ page language="java" contentType="text/html" %> <% String message = request.getParameter("message"); %> <jsp:forward page="somepage.jsp"> <jsp:param name="somekey" value="<%=message%>" /> <jsp:param name="athirdkey" value="athirdvalue" /> </jsp:forward> somepage.jsp now looks like this: <%@ page language="java" contentType="text/html" %> <% String message = request.getParameter("somekey"); String anothervalue = request.getParameter("anotherkey"); String athirdvalue = request.getParameter("athirdkey"); out.println("somekey="+message); out.println("anotherkey="+anothervalue); out.println("athirdkey="+athirdvalue); %> Now consider the following input for the parameter "message" going into bug.jsp: somevalue&athirdkey=adifferentvalue The output of somepage.jsp is now: somekey=somevalue anotherkey=null athirdkey=adifferentvalue -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
