geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul McMahan <paulmcma...@gmail.com>
Subject Re: geronimo 1.0 - CSS vulnerabilities - response from Tomcat team
Date Wed, 18 Jan 2006 19:38:18 GMT
Jeff, I believe it is the responsibility of the application to secure itself
against XSS attacks, and not the web container's. As you know, the web
container really has no way to differentiate between legitimate and
"tainted" content in the output stream.  The container could do paranoid
things such as replacing suspicous characters when it logs request URIs.
But, as you say, that type of approach could be seen as too heavy handed.

Best wishes,
Paul

On 1/18/06, Jeff Genender <jgenender@apache.org> wrote:
>
> Where I am going at with this...is this a vulnerability caused by coding
> the apps, or the containers themselves?
>
> i.e., Will I have this problem with a perl app running on httpd? or
> ASP/C# on IIS?  Is this type of vulnerability a facet of responsibility
> that lies on the container, or the developer?
>
> I am just trying to assess this as a true vulnerability from a web
> container perspective.  I am assuming, that yes, the container could
> change the < and > to lt&; and gt&;.  But, I am wondering where we draw
> the line and wonder if that is too heavy handed.
>
> If the other web servers provide protection from this, then I guess its
> safe to assume we should follow the pack. OTOH, I surely would not want
> to take away too much responsibility of the developer to ensure they are
> properly securing their own apps, while maintaining a bit of flexibility
> for them.
>
> Jeff
>
> Kevan Miller wrote:
> >
> > On Jan 18, 2006, at 11:24 AM, Jeff Genender wrote:
> >
> >> So assuming this appears to be somewhat "examples" related, is this
> >> truly a container problem, or just the jsp examples implementation?
> >
> > IANASE, but it seems that any vulnerabilities must be fixed in the apps
> > themselves -- certainly seems like the only course of action for G
> > 1.0.1. I'm currently aware of problems with samples and the admin
> console.
> >
> > Apps must insure they return appropriate content to clients. I don't see
> > how a container could provide general XSS protection... I'm sure there
> > are people who know much more than I on the topic...
> >
> > --kevan
>

Mime
View raw message