[GERONIMO-1540] Fix security vulnerability in jsp-examples - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.1, 1.2
Fix Version/s: 1.1, 1.2
Component/s: sample apps
Security Level: public (Regular issues)
Labels:
None

Patch Info:

Patch Available

Description

Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat jsp-examples that are included in Geronimo. It fails on both Jetty and Tomcat.

This can be reproduced with the following urls:

http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>
http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

This JIRA does not address a related problem in the admin console. That problem is addressed in ~~GERONIMO-1474~~.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

geronimo-jsp-examples-tomcat-5.5.15-plus.war
26/Jan/06 06:23
648 kB
Dave Colasurdo
jsp-examples.patch
26/Jan/06 06:23
3 kB
Dave Colasurdo
examples-cumulative.patch
27/Jan/06 05:59
6 kB
Dave Colasurdo
geronimo-servlet-examples-tomcat-5.5.15.war
27/Jan/06 05:59
72 kB
Dave Colasurdo

Activity

People

Assignee:: Kevan Lee Miller

Reporter:: Dave Colasurdo

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 26/Jan/06 06:10

Updated:: 07/Aug/06 15:04

Resolved:: 29/Jan/06 02:02