geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <jgenen...@apache.org>
Subject Re: Fw: geronimo 1.0 - CSS vulnerabilities
Date Tue, 17 Jan 2006 16:19:40 GMT


Prasad Kashyap wrote:
> Is log record the only place where a user input param is written back to the
> browser ? I'd guess not.
> 
> Since Tomcat claims to fix this in v5.5.7, we may have to implement the
> tactical solution in our apps till we move to Tomcat 5.5.7.

We currently use 5.5.9, so I would assume this has been tended too.  Has
anybody examined this to be the case (or not)?

> 
> What about Jetty ?
> 
> Cheers
> Prasad
> 
> On 1/17/06, Joe Bohn <joe.bohn@earthlink.net> wrote:
>> Yes, this sounds like the best way to go.
>>
>> Regarding the specific problem with the web console displaying the web
>> access log I'd like to get some consensus.  Is this something that the
>> containers should modify when storing the URL as part of a message in
>> the appropriate web log?  (I have confirmed this is a problem with both
>> Tomcat and Jetty)
>>
>> Or, should we address this within the web access log viewer and/or
>> management objects to modify the content of the log records when they
>> are being displayed.
>>
>> My preference would be to make the modification at the time the log
>> record is created.
>>
>> Joe
>>
>> Prasad Kashyap wrote:
>>> The simplest solution to this problem would be to process the strings
>>> before they are written out by the jsp by replacing any occurrences of
>>> <script> with &lt;script&gt;  This will ensure that the string
will be
>>> rendered as is on the browser and won't be executed.
>>>
>>> Of course, this becomes a tactical solution which every one of our app,
>>> especially the Console, would have to implement. The one place fix for
>>> it should be in someplace in the container.
>>>
>>> Cheers
>>> Prasad.
>>>
>>> On 1/17/06, *Dave Colasurdo* <davecola@earthlink.net
>>> <mailto:davecola@earthlink.net>> wrote:
>>>
>>>     I've confirmed that the cross-site scripting problem also occurs in
>>>     jsp-examples in pure Tomcat 5.5.12 without Geronimo.
>>>
>>>     -Dave-
>>>
>>>     Jacek Laskowski wrote:
>>>      > 2006/1/17, oliver karow < oliver.karow@gmx.de
>>>     <mailto:oliver.karow@gmx.de>>:
>>>      >
>>>      > Hi Oliver,
>>>      >
>>>      > I think it belongs to dev now.
>>>      >
>>>      >
>>>      >>>>The first one is a classical cross-site scripting in the
>>>      >>>>jsp-examples:
>>>      >>>>
>>>      >>>>http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
>>>     <http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
>>>> <script>alert('Gotcha')</script>
>>>      >>>
>>>      >>>Is it us or is it a general and *well-known* Tomcat
>> vulnerability we
>>>      >>>could not do much to prevent it other than ask Tomcat PMC to
get
>> rid
>>>      >>>of it?
>>>      >>
>>>      >>I did not check this, because i installed geronimo/jetty as a
>>>     complete
>>>      >>package. I assumed that the sample script belongs to the
>> geronimo.
>>>      >
>>>      >
>>>      > AFAIK, Geronimo doesn't change much in the JSP processing (it
>> does a
>>>      > little wrt security and such, but JSP compilation and execution
>> is
>>>      > handed over to Jetty/Tomcat). So, I'd call it a bug in the
>> example
>>>      > itself or in the way Jetty/Tomcat handles it. I do think it has
>>>      > nothing to do with Geronimo itself.
>>>      >
>>>      > Could you verify that the bug won't happen in a clear
>> Jetty/Tomcat
>>>      > installation? I'd bet it will (no hands of mine offered
>> intentionally
>>>      > ;)).
>>>      >
>>>      > --
>>>      > Jacek Laskowski
>>>      > http://www.laskowski.org.pl
>>>      >
>>>      >
>>>
>>>
>> --
>> Joe Bohn
>> joe.bohn at earthlink.net
>>
>> "He is no fool who gives what he cannot keep, to gain what he cannot
>> lose."   -- Jim Elliot
>>
> 

Mime
View raw message