geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oliver karow <oliver.ka...@gmx.de>
Subject Geronimo/Jetty 1.0 - CSS and persistent HTML-Injection
Date Sat, 14 Jan 2006 11:27:19 GMT
Hi,

I played arround with geronimo 1.0 / Jetty 5.1.9 on Windows platform and
found two vulnerabilities:

The first one is a classical cross-site scripting in the
jsp-examples:

http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

The second one is a persistant html-/script-Injection vulnerability
which is a little more critical than the first one:

The Web-Access-Log viewer does no filtering for html-/script-tags, and
therefore allows attacks against the user of the admin-console.

For example the request:

http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

is stored without sanitizing inside the logfile and the script part is
executed, if the geronimo-admin is accessing the web-access-log-viewer.
An example attack can steal the current session-id of the admin, which
is stored as a cookie.

Please feel free to get in contact with me if you need more info. Due to
the limited risk of this attacks ( adminport is hopefully well filtered
by a firewall), i did not spend much time on analysing it. But i think
this should be fixed to reach best affordable security for the product.

best regards,

Oliver

PS: I was not able to find a mail address, dedicated to geronimo
security issues. Thus i sent this information to this mailinglist.


Mime
View raw message