Issue Details (XML | Word | Printable)

Key: JETTY-452
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: David Yu
Reporter: David Yu
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Jetty

Dump Servlet - prevent possible cross site scripting - CERT VU#237888

Created: 25/Oct/07 09:44 PM   Updated: 02/Nov/07 12:41 AM
Component/s: Servlet
Affects Version/s: 6.1.5, 6.1.6rc0
Fix Version/s: 6.1.6rc1, 6.1.6

Time Tracking:
Not Specified

File Attachments: 1. Text File dump-edited.patch (4 kB)
2. Text File dump-final.patch (5 kB)
3. Text File dump-servlet.patch (2 kB)
4. Text File dump.patch (4 kB)

Environment: all


 Description  « Hide
There has been a "security" warning raised against the dump servlet namely that it allows cross site scripting attacks

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
David Yu added a comment - 25/Oct/07 10:31 PM
fix patch attached

Greg Wilkins added a comment - 28/Oct/07 06:42 PM
David,

I think you need to catch a lot more cases. for example getPathInfo


David Yu added a comment - 29/Oct/07 02:37 AM
dump.patch attached... includes snoop.jsp fix

David Yu added a comment - 30/Oct/07 03:06 AM
attached dump-edited.patch for the NPE in snoop.jsp

Jan Bartel added a comment - 30/Oct/07 05:28 PM
The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that?

thanks
Jan


David Yu added a comment - 30/Oct/07 10:28 PM
dump-final.patch attached.
filters "<" and ">" to (amp)lt; and (amp)gt;

Jan Bartel added a comment - 31/Oct/07 02:50 AM
You need to escape the outputting of the Http parameters, and also the cookies.

cheers
Jan


Greg Wilkins added a comment - 02/Nov/07 12:41 AM
I redid this so instead of inserting replace().replace() everywhere, there is a private notag
method that is called.

Also many of the getPathInfo and similar methods were not protected.