Issue Details (XML | Word | Printable)

Key: GERONIMO-1474
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Aaron Mulder
Reporter: Greg Wilkins
Votes: 1
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Geronimo

Cross site scripting vulnerabilites

Created: 15/Jan/06 09:26 PM   Updated: 13/Mar/07 04:20 AM
Return to search
Component/s: console, security
Affects Version/s: 1.0
Fix Version/s: 1.1, 1.2
Security Level: public (Regular issues)

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works GERONIMO-1474.patch 2006-01-19 04:01 AM Paul McMahan 2 kB

Patch Info: Patch Available
Resolution Date: 26/Jan/06 06:35 AM


 Description  « Hide
Reported by oliver karow:

The Web-Access-Log viewer does no filtering for html-/script-tags, and
therefore allows attacks against the user of the admin-console:

http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

Also reported:

The first one is a classical cross-site scripting in the jsp-examples:
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Aaron Mulder made changes - 16/Jan/06 01:48 AM
Field Original Value New Value
Component/s security [ 11143 ]
Fix Version/s 1.1 [ 12310181 ]
Description
Reported by oliver karow:

The Web-Access-Log viewer does no filtering for html-/script-tags, and
therefore allows attacks against the user of the admin-console:

http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>


Also reported:

The first one is a classical cross-site scripting in the jsp-examples:
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>
 Reported by oliver karow:

The Web-Access-Log viewer does no filtering for html-/script-tags, and
therefore allows attacks against the user of the admin-console:

http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>


Also reported:

The first one is a classical cross-site scripting in the jsp-examples:
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>
[ Permlink | « Hide ]
Paul McMahan added a comment - 19/Jan/06 04:01 AM
Attaching a patch that will escape any special html chars read from the web, derby, and system logs before displaying them in the log viewer portlets. The <c:out> jstl tag is used for this purpose, setting the escapeXml attribute to true. The JSTL 1.0 specification for this tag says:

"If escapeXml is true, the following character conversions are applied:

Character Character Entity Code
< <
> >
& &
' '
'' "


Paul McMahan made changes - 19/Jan/06 04:01 AM
Attachment GERONIMO-1474.patch [ 12322088 ]
Paul McMahan made changes - 19/Jan/06 04:01 AM
Geronimo Info [Patch Available]
[ Permlink | « Hide ]
Paul McMahan added a comment - 19/Jan/06 04:07 AM
Please note that the patch for the admin portlets does not address any XSS vulnerabilities in the sample applications. Based on recent discussion on the dev list my understanding is that the tomcat dev team will address any vulnerabilities in the samples they provide.

Repository Revision Date User Message
ASF #372322 Wed Jan 25 21:33:48 UTC 2006 ammulder Log viewer escapes log messages (GERONIMO-1474) -- Thanks to Paul McMahan
  for the patch
Files Changed
MODIFY /geronimo/branches/1.0/applications/console-standard/src/webapp/WEB-INF/view/logmanager/search.jsp
MODIFY /geronimo/branches/1.0/applications/console-standard/src/webapp/WEB-INF/view/derbylogmanager/view.jsp
MODIFY /geronimo/branches/1.0/applications/console-standard/src/webapp/WEB-INF/view/webaccesslogmanager/view.jsp

Repository Revision Date User Message
ASF #372324 Wed Jan 25 21:35:35 UTC 2006 ammulder Merge fix for GERONIMO-1474 from branch
Files Changed
MODIFY /geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/logmanager/search.jsp
MODIFY /geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/derbylogmanager/view.jsp
MODIFY /geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/webaccesslogmanager/view.jsp

[ Permlink | « Hide ]
Aaron Mulder added a comment - 26/Jan/06 06:35 AM
Patch applied, thanks!

Aaron Mulder made changes - 26/Jan/06 06:35 AM
Assignee Aaron Mulder [ ammulder ]
Status Open [ 1 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
David Blevins made changes - 04/Aug/06 10:28 PM
Workflow jira [ 12345730 ] RTC Workflow [ 12378306 ]
Alan Cabrera made changes - 07/Aug/06 03:04 PM
Workflow RTC Workflow [ 12378306 ] jira [ 12380078 ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators