Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0
    • Fix Version/s: 1.1, 1.2
    • Component/s: console, security
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      Reported by oliver karow:

      The Web-Access-Log viewer does no filtering for html-/script-tags, and
      therefore allows attacks against the user of the admin-console:

      http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

      Also reported:

      The first one is a classical cross-site scripting in the jsp-examples:
      http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

        Activity

        Hide
        Paul McMahan added a comment -

        Attaching a patch that will escape any special html chars read from the web, derby, and system logs before displaying them in the log viewer portlets. The <c:out> jstl tag is used for this purpose, setting the escapeXml attribute to true. The JSTL 1.0 specification for this tag says:

        "If escapeXml is true, the following character conversions are applied:

        Character Character Entity Code
        < <
        > >
        & &
        ' '
        '' "

        Show
        Paul McMahan added a comment - Attaching a patch that will escape any special html chars read from the web, derby, and system logs before displaying them in the log viewer portlets. The <c:out> jstl tag is used for this purpose, setting the escapeXml attribute to true. The JSTL 1.0 specification for this tag says: "If escapeXml is true, the following character conversions are applied: Character Character Entity Code < < > > & & ' ' '' "
        Hide
        Paul McMahan added a comment -

        Please note that the patch for the admin portlets does not address any XSS vulnerabilities in the sample applications. Based on recent discussion on the dev list my understanding is that the tomcat dev team will address any vulnerabilities in the samples they provide.

        Show
        Paul McMahan added a comment - Please note that the patch for the admin portlets does not address any XSS vulnerabilities in the sample applications. Based on recent discussion on the dev list my understanding is that the tomcat dev team will address any vulnerabilities in the samples they provide.
        Hide
        Aaron Mulder added a comment -

        Patch applied, thanks!

        Show
        Aaron Mulder added a comment - Patch applied, thanks!

          People

          • Assignee:
            Aaron Mulder
            Reporter:
            Greg Wilkins
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development