geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <jgenen...@apache.org>
Subject Re: geronimo 1.0 - CSS vulnerabilities - response from Tomcat team
Date Wed, 18 Jan 2006 18:47:49 GMT
Where I am going at with this...is this a vulnerability caused by coding
the apps, or the containers themselves?

i.e., Will I have this problem with a perl app running on httpd? or
ASP/C# on IIS?  Is this type of vulnerability a facet of responsibility
that lies on the container, or the developer?

I am just trying to assess this as a true vulnerability from a web
container perspective.  I am assuming, that yes, the container could
change the < and > to lt&; and gt&;.  But, I am wondering where we draw
the line and wonder if that is too heavy handed.

If the other web servers provide protection from this, then I guess its
safe to assume we should follow the pack. OTOH, I surely would not want
to take away too much responsibility of the developer to ensure they are
properly securing their own apps, while maintaining a bit of flexibility
for them.

Jeff

Kevan Miller wrote:
> 
> On Jan 18, 2006, at 11:24 AM, Jeff Genender wrote:
> 
>> So assuming this appears to be somewhat "examples" related, is this
>> truly a container problem, or just the jsp examples implementation?
> 
> IANASE, but it seems that any vulnerabilities must be fixed in the apps
> themselves -- certainly seems like the only course of action for G
> 1.0.1. I'm currently aware of problems with samples and the admin console.
> 
> Apps must insure they return appropriate content to clients. I don't see
> how a container could provide general XSS protection... I'm sure there
> are people who know much more than I on the topic...
> 
> --kevan

Mime
View raw message