Jetty

Dump Servlet - prevent possible cross site scripting - CERT VU#237888

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.1.5, 6.1.6rc0
  • Fix Version/s: 6.1.6rc1, 6.1.6
  • Component/s: Servlet
  • Labels:
    None
  • Environment:
    all
  • Number of attachments :
    4

Description

There has been a "security" warning raised against the dump servlet namely that it allows cross site scripting attacks

Attachments

  1. Text File
    dump.patch
    29/Oct/07 2:37 AM
    4 kB
    David Yu
  2. Text File
    dump-edited.patch
    30/Oct/07 3:06 AM
    4 kB
    David Yu
  3. Text File
    dump-final.patch
    31/Oct/07 3:36 AM
    5 kB
    David Yu
  4. Text File
    dump-servlet.patch
    25/Oct/07 10:31 PM
    2 kB
    David Yu

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
David Yu added a comment -

fix patch attached

Show
David Yu added a comment - fix patch attached
Hide
Permalink
Greg Wilkins added a comment -

David,

I think you need to catch a lot more cases. for example getPathInfo

Show
Greg Wilkins added a comment - David, I think you need to catch a lot more cases. for example getPathInfo
Hide
Permalink
David Yu added a comment -

dump.patch attached... includes snoop.jsp fix

Show
David Yu added a comment - dump.patch attached... includes snoop.jsp fix
Hide
Permalink
David Yu added a comment -

attached dump-edited.patch for the NPE in snoop.jsp

Show
David Yu added a comment - attached dump-edited.patch for the NPE in snoop.jsp
Hide
Permalink
Jan Bartel added a comment -

The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that?

thanks
Jan

Show
Jan Bartel added a comment - The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that? thanks Jan
Hide
Permalink
David Yu added a comment -

dump-final.patch attached.
filters "<" and ">" to (amp)lt; and (amp)gt;

Show
David Yu added a comment - dump-final.patch attached. filters "<" and ">" to (amp)lt; and (amp)gt;
Hide
Permalink
Jan Bartel added a comment -

You need to escape the outputting of the Http parameters, and also the cookies.

cheers
Jan

Show
Jan Bartel added a comment - You need to escape the outputting of the Http parameters, and also the cookies. cheers Jan
Hide
Permalink
Greg Wilkins added a comment -

I redid this so instead of inserting replace().replace() everywhere, there is a private notag
method that is called.

Also many of the getPathInfo and similar methods were not protected.

Show
Greg Wilkins added a comment - I redid this so instead of inserting replace().replace() everywhere, there is a private notag method that is called. Also many of the getPathInfo and similar methods were not protected.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.