geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <joe.b...@earthlink.net>
Subject Re: Fw: geronimo 1.0 - CSS vulnerabilities
Date Tue, 17 Jan 2006 15:38:30 GMT
Yes, this sounds like the best way to go.

Regarding the specific problem with the web console displaying the web 
access log I'd like to get some consensus.  Is this something that the 
containers should modify when storing the URL as part of a message in 
the appropriate web log?  (I have confirmed this is a problem with both 
Tomcat and Jetty)

Or, should we address this within the web access log viewer and/or 
management objects to modify the content of the log records when they 
are being displayed.

My preference would be to make the modification at the time the log 
record is created.

Joe

Prasad Kashyap wrote:
> The simplest solution to this problem would be to process the strings 
> before they are written out by the jsp by replacing any occurrences of 
> <script> with &lt;script&gt;  This will ensure that the string will be

> rendered as is on the browser and won't be executed.
> 
> Of course, this becomes a tactical solution which every one of our app, 
> especially the Console, would have to implement. The one place fix for 
> it should be in someplace in the container.
> 
> Cheers
> Prasad.
> 
> On 1/17/06, *Dave Colasurdo* <davecola@earthlink.net 
> <mailto:davecola@earthlink.net>> wrote:
> 
>     I've confirmed that the cross-site scripting problem also occurs in
>     jsp-examples in pure Tomcat 5.5.12 without Geronimo.
> 
>     -Dave-
> 
>     Jacek Laskowski wrote:
>      > 2006/1/17, oliver karow < oliver.karow@gmx.de
>     <mailto:oliver.karow@gmx.de>>:
>      >
>      > Hi Oliver,
>      >
>      > I think it belongs to dev now.
>      >
>      >
>      >>>>The first one is a classical cross-site scripting in the
>      >>>>jsp-examples:
>      >>>>
>      >>>>http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
>     <http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/>><script>alert('Gotcha')</script>
> 
>      >>>
>      >>>Is it us or is it a general and *well-known* Tomcat vulnerability we
>      >>>could not do much to prevent it other than ask Tomcat PMC to get rid
>      >>>of it?
>      >>
>      >>I did not check this, because i installed geronimo/jetty as a
>     complete
>      >>package. I assumed that the sample script belongs to the geronimo.
>      >
>      >
>      > AFAIK, Geronimo doesn't change much in the JSP processing (it does a
>      > little wrt security and such, but JSP compilation and execution is
>      > handed over to Jetty/Tomcat). So, I'd call it a bug in the example
>      > itself or in the way Jetty/Tomcat handles it. I do think it has
>      > nothing to do with Geronimo itself.
>      >
>      > Could you verify that the bug won't happen in a clear Jetty/Tomcat
>      > installation? I'd bet it will (no hands of mine offered intentionally
>      > ;)).
>      >
>      > --
>      > Jacek Laskowski
>      > http://www.laskowski.org.pl
>      >
>      >
> 
> 

-- 
Joe Bohn
joe.bohn at earthlink.net

"He is no fool who gives what he cannot keep, to gain what he cannot 
lose."   -- Jim Elliot

Mime
View raw message