Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 74601 invoked from network); 17 Jan 2006 16:53:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 17 Jan 2006 16:53:41 -0000 Received: (qmail 50633 invoked by uid 500); 17 Jan 2006 16:53:13 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 50535 invoked by uid 500); 17 Jan 2006 16:53:13 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 50502 invoked by uid 99); 17 Jan 2006 16:53:12 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2006 08:53:12 -0800 X-ASF-Spam-Status: No, hits=1.7 required=10.0 tests=DNS_FROM_RFC_ABUSE,RCVD_IN_SORBS_WEB X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [209.86.89.63] (HELO elasmtp-junco.atl.sa.earthlink.net) (209.86.89.63) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2006 08:53:12 -0800 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=imm3ODaDSEBkxQUHHC9xCHfaorggkfYtc00yVv+nyQUFZghymVosDqYY+UUwIjgm; h=Received:Message-ID:Date:From:User-Agent:X-Accept-Language:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [129.33.49.251] (helo=[9.27.40.171]) by elasmtp-junco.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1Eyu4h-0004tF-MU for dev@geronimo.apache.org; Tue, 17 Jan 2006 11:52:51 -0500 Message-ID: <43CD20E0.4030101@earthlink.net> Date: Tue, 17 Jan 2006 11:52:48 -0500 From: Joe Bohn User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@geronimo.apache.org Subject: Re: Fw: geronimo 1.0 - CSS vulnerabilities References: <20060117012311.20c39726@doubleshadow.eilebrecht.net> <1b5bfeb50601170147y15e4bc08g@mail.gmail.com> <1137504485.7312.3.camel@localhost> <1b5bfeb50601170624r10609a43h@mail.gmail.com> <43CD0113.9080807@earthlink.net> <43CD0F76.5040603@earthlink.net> <43CD191C.8030704@apache.org> In-Reply-To: <43CD191C.8030704@apache.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: c408501814fc19611aa676d7e74259b7b3291a7d08dfec79f65daddd742f9dd99bcf7cda4bb833fa350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 129.33.49.251 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I've verified the problem on both Tomcat and Jetty in Geronimo 1.0 ... so I think that means it has not yet been addressed in tomcat 5.5.9. Joe Jeff Genender wrote: > > Prasad Kashyap wrote: > >>Is log record the only place where a user input param is written back to the >>browser ? I'd guess not. >> >>Since Tomcat claims to fix this in v5.5.7, we may have to implement the >>tactical solution in our apps till we move to Tomcat 5.5.7. > > > We currently use 5.5.9, so I would assume this has been tended too. Has > anybody examined this to be the case (or not)? > > >>What about Jetty ? >> >>Cheers >>Prasad >> >>On 1/17/06, Joe Bohn wrote: >> >>>Yes, this sounds like the best way to go. >>> >>>Regarding the specific problem with the web console displaying the web >>>access log I'd like to get some consensus. Is this something that the >>>containers should modify when storing the URL as part of a message in >>>the appropriate web log? (I have confirmed this is a problem with both >>>Tomcat and Jetty) >>> >>>Or, should we address this within the web access log viewer and/or >>>management objects to modify the content of the log records when they >>>are being displayed. >>> >>>My preference would be to make the modification at the time the log >>>record is created. >>> >>>Joe >>> >>>Prasad Kashyap wrote: >>> >>>>The simplest solution to this problem would be to process the strings >>>>before they are written out by the jsp by replacing any occurrences of >>>> >>>> >>>> >>> >>>> >>>Is it us or is it a general and *well-known* Tomcat >>> >>>vulnerability we >>> >>>> >>>could not do much to prevent it other than ask Tomcat PMC to get >>> >>>rid >>> >>>> >>>of it? >>>> >> >>>> >>I did not check this, because i installed geronimo/jetty as a >>>> complete >>>> >>package. I assumed that the sample script belongs to the >>> >>>geronimo. >>> >>>> > >>>> > >>>> > AFAIK, Geronimo doesn't change much in the JSP processing (it >>> >>>does a >>> >>>> > little wrt security and such, but JSP compilation and execution >>> >>>is >>> >>>> > handed over to Jetty/Tomcat). So, I'd call it a bug in the >>> >>>example >>> >>>> > itself or in the way Jetty/Tomcat handles it. I do think it has >>>> > nothing to do with Geronimo itself. >>>> > >>>> > Could you verify that the bug won't happen in a clear >>> >>>Jetty/Tomcat >>> >>>> > installation? I'd bet it will (no hands of mine offered >>> >>>intentionally >>> >>>> > ;)). >>>> > >>>> > -- >>>> > Jacek Laskowski >>>> > http://www.laskowski.org.pl >>>> > >>>> > >>>> >>>> >>>-- >>>Joe Bohn >>>joe.bohn at earthlink.net >>> >>>"He is no fool who gives what he cannot keep, to gain what he cannot >>>lose." -- Jim Elliot >>> >> > > -- Joe Bohn joe.bohn at earthlink.net "He is no fool who gives what he cannot keep, to gain what he cannot lose." -- Jim Elliot