geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <joe.b...@earthlink.net>
Subject Re: Fw: geronimo 1.0 - CSS vulnerabilities
Date Tue, 17 Jan 2006 16:52:48 GMT
I've verified the problem on both Tomcat and Jetty in Geronimo 1.0 ... 
so I think that means it has not yet been addressed in tomcat 5.5.9.

Joe

Jeff Genender wrote:
> 
> Prasad Kashyap wrote:
> 
>>Is log record the only place where a user input param is written back to the
>>browser ? I'd guess not.
>>
>>Since Tomcat claims to fix this in v5.5.7, we may have to implement the
>>tactical solution in our apps till we move to Tomcat 5.5.7.
> 
> 
> We currently use 5.5.9, so I would assume this has been tended too.  Has
> anybody examined this to be the case (or not)?
> 
> 
>>What about Jetty ?
>>
>>Cheers
>>Prasad
>>
>>On 1/17/06, Joe Bohn <joe.bohn@earthlink.net> wrote:
>>
>>>Yes, this sounds like the best way to go.
>>>
>>>Regarding the specific problem with the web console displaying the web
>>>access log I'd like to get some consensus.  Is this something that the
>>>containers should modify when storing the URL as part of a message in
>>>the appropriate web log?  (I have confirmed this is a problem with both
>>>Tomcat and Jetty)
>>>
>>>Or, should we address this within the web access log viewer and/or
>>>management objects to modify the content of the log records when they
>>>are being displayed.
>>>
>>>My preference would be to make the modification at the time the log
>>>record is created.
>>>
>>>Joe
>>>
>>>Prasad Kashyap wrote:
>>>
>>>>The simplest solution to this problem would be to process the strings
>>>>before they are written out by the jsp by replacing any occurrences of
>>>><script> with &lt;script&gt;  This will ensure that the string
will be
>>>>rendered as is on the browser and won't be executed.
>>>>
>>>>Of course, this becomes a tactical solution which every one of our app,
>>>>especially the Console, would have to implement. The one place fix for
>>>>it should be in someplace in the container.
>>>>
>>>>Cheers
>>>>Prasad.
>>>>
>>>>On 1/17/06, *Dave Colasurdo* <davecola@earthlink.net
>>>><mailto:davecola@earthlink.net>> wrote:
>>>>
>>>>    I've confirmed that the cross-site scripting problem also occurs in
>>>>    jsp-examples in pure Tomcat 5.5.12 without Geronimo.
>>>>
>>>>    -Dave-
>>>>
>>>>    Jacek Laskowski wrote:
>>>>     > 2006/1/17, oliver karow < oliver.karow@gmx.de
>>>>    <mailto:oliver.karow@gmx.de>>:
>>>>     >
>>>>     > Hi Oliver,
>>>>     >
>>>>     > I think it belongs to dev now.
>>>>     >
>>>>     >
>>>>     >>>>The first one is a classical cross-site scripting in
the
>>>>     >>>>jsp-examples:
>>>>     >>>>
>>>>     >>>>http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
>>>>    <http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/
>>>>
>>>>><script>alert('Gotcha')</script>
>>>>
>>>>     >>>
>>>>     >>>Is it us or is it a general and *well-known* Tomcat
>>>
>>>vulnerability we
>>>
>>>>     >>>could not do much to prevent it other than ask Tomcat PMC
to get
>>>
>>>rid
>>>
>>>>     >>>of it?
>>>>     >>
>>>>     >>I did not check this, because i installed geronimo/jetty as a
>>>>    complete
>>>>     >>package. I assumed that the sample script belongs to the
>>>
>>>geronimo.
>>>
>>>>     >
>>>>     >
>>>>     > AFAIK, Geronimo doesn't change much in the JSP processing (it
>>>
>>>does a
>>>
>>>>     > little wrt security and such, but JSP compilation and execution
>>>
>>>is
>>>
>>>>     > handed over to Jetty/Tomcat). So, I'd call it a bug in the
>>>
>>>example
>>>
>>>>     > itself or in the way Jetty/Tomcat handles it. I do think it has
>>>>     > nothing to do with Geronimo itself.
>>>>     >
>>>>     > Could you verify that the bug won't happen in a clear
>>>
>>>Jetty/Tomcat
>>>
>>>>     > installation? I'd bet it will (no hands of mine offered
>>>
>>>intentionally
>>>
>>>>     > ;)).
>>>>     >
>>>>     > --
>>>>     > Jacek Laskowski
>>>>     > http://www.laskowski.org.pl
>>>>     >
>>>>     >
>>>>
>>>>
>>>--
>>>Joe Bohn
>>>joe.bohn at earthlink.net
>>>
>>>"He is no fool who gives what he cannot keep, to gain what he cannot
>>>lose."   -- Jim Elliot
>>>
>>
> 
> 

-- 
Joe Bohn
joe.bohn at earthlink.net

"He is no fool who gives what he cannot keep, to gain what he cannot 
lose."   -- Jim Elliot

Mime
View raw message