[#GERONIMO-1474] Cross site scripting vulnerabilites

Geronimo

Cross site scripting vulnerabilites

Created: 15/Jan/06 09:26 PM Updated: 13/Mar/07 04:20 AM

Component/s:

console, security

Affects Version/s:

1.0

Fix Version/s:

1.1, 1.2

Security Level:

public (Regular issues)

Time Tracking:

Not Specified

File Attachments:

	File Name	Date Attached	Attached By	Size
	GERONIMO-1474.patch	2006-01-19 04:01 AM	Paul McMahan	2 kB

Patch Info:	Patch Available
Resolution Date:	26/Jan/06 06:35 AM

Description

« Hide

Reported by oliver karow:

The Web-Access-Log viewer does no filtering for html-/script-tags, and
therefore allows attacks against the user of the admin-console:

http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

Also reported:

The first one is a classical cross-site scripting in the jsp-examples:
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Paul McMahan added a comment - 19/Jan/06 04:01 AM

Attaching a patch that will escape any special html chars read from the web, derby, and system logs before displaying them in the log viewer portlets. The <c:out> jstl tag is used for this purpose, setting the escapeXml attribute to true. The JSTL 1.0 specification for this tag says:

"If escapeXml is true, the following character conversions are applied:

Character Character Entity Code
< <
> >
& &
' '
'' "

[ Permlink | « Hide ]

Paul McMahan added a comment - 19/Jan/06 04:07 AM

Please note that the patch for the admin portlets does not address any XSS vulnerabilities in the sample applications. Based on recent discussion on the dev list my understanding is that the tomcat dev team will address any vulnerabilities in the samples they provide.

[ Permlink | « Hide ]

Aaron Mulder added a comment - 26/Jan/06 06:35 AM

Patch applied, thanks!