tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 8410] New: - Parameters passed with jsp:param not encoded and vulnerable to overwriting
Date Tue, 23 Apr 2002 12:30:14 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8410>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8410

Parameters passed with jsp:param not encoded and vulnerable to overwriting

           Summary: Parameters passed with jsp:param not encoded and
                    vulnerable to overwriting
           Product: Tomcat 4
           Version: 4.0.2 Final
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Jasper
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: philip.moston@quinscape.de


When passing a string value to a jsp using the jsp:forward and jsp:param 
methods, parameters can be overwritten or added. Also strings containing 
certain characters are not processed properly.

Example
-------
thispage.jsp:
String message = "somevalue&anotherkey=anothervalue";

<jsp:forward page="somepage.jsp">
  <jsp:param name="somekey" value="<%=message%>" />
</jsp:forward>

The resulting java code in the work-folder is:

String message = "somevalue&anotherkey=anothervalue";
if (true) {
  out.clear();
  String _jspx_qfStr = "";
  _jspx_qfStr = _jspx_qfStr + "?somekey=" +message;
  pageContext.forward("somepage.jsp" +  _jspx_qfStr);
  return;
}

As we can see, the variable message is simply appended to the GET-string 
without any kind of parsing, encoding or masking. In somepage.jsp we can now 
access the parameter "anotherkey" with its value "anothervalue". This also 
leads to the problem that any string containing the characters "=" or "&" is 
not passed properly. A string containing the "=" character (not following 
a "&" character) results in the passed string evaluating to null.
Example:
somevalue=anothervalue
This nulls the value of somekey.
If the string contains the "&" character (i.e. somevalue&anothervalue), the 
value of somekey is cut off at the "&". Even escaping the "&" character with 
&amp; doesn't work.

Here comes the security risk. Assuming we know the names of the parameters and 
the order they are passed in, it is possible to overwrite following parameters.

Example:
bug.jsp
<%@ page language="java" contentType="text/html" %>

<%
    String message = request.getParameter("message");
%>
<jsp:forward page="somepage.jsp">
    <jsp:param name="somekey" value="<%=message%>" />
    <jsp:param name="athirdkey" value="athirdvalue" />
</jsp:forward>

somepage.jsp now looks like this:
<%@ page language="java" contentType="text/html" %>

<%
    String message = request.getParameter("somekey");
    String anothervalue = request.getParameter("anotherkey");
    String athirdvalue = request.getParameter("athirdkey");
    out.println("somekey="+message);
    out.println("anotherkey="+anothervalue);
    out.println("athirdkey="+athirdvalue);
%>

Now consider the following input for the parameter "message" going into 
bug.jsp:
somevalue&athirdkey=adifferentvalue

The output of somepage.jsp is now:
somekey=somevalue anotherkey=null athirdkey=adifferentvalue

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message