Issue Details (XML | Word | Printable)

Key: JETTY-452
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: David Yu
Reporter: David Yu
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Jetty

Dump Servlet - prevent possible cross site scripting - CERT VU#237888

Created: 25/Oct/07 09:44 PM   Updated: 02/Nov/07 12:41 AM   Resolved: 02/Nov/07 12:41 AM
Return to search
Component/s: Servlet
Affects Version/s: 6.1.5, 6.1.6rc0
Fix Version/s: 6.1.6rc1, 6.1.6

Time Tracking:
Not Specified

File Attachments: 1. Text File dump-edited.patch (4 kB)
2. Text File dump-final.patch (5 kB)
3. Text File dump-servlet.patch (2 kB)
4. Text File dump.patch (4 kB)
Environment: all


 Description  « Hide

There has been a "security" warning raised against the dump servlet namely that it allows cross site scripting attacks

Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
David Yu added a comment - 25/Oct/07 10:31 PM

fix patch attached


David Yu made changes - 25/Oct/07 10:31 PM
Field Original Value New Value
Attachment dump-servlet.patch [ 30126 ]
Greg Wilkins made changes - 25/Oct/07 10:44 PM
Assignee David Yu [ dyu ]
[ Permalink | « Hide ]
Greg Wilkins added a comment - 28/Oct/07 06:42 PM

David,

I think you need to catch a lot more cases. for example getPathInfo


[ Permalink | « Hide ]
David Yu added a comment - 29/Oct/07 02:37 AM

dump.patch attached... includes snoop.jsp fix


David Yu made changes - 29/Oct/07 02:37 AM
Attachment dump.patch [ 30177 ]
[ Permalink | « Hide ]
David Yu added a comment - 30/Oct/07 03:06 AM

attached dump-edited.patch for the NPE in snoop.jsp


David Yu made changes - 30/Oct/07 03:06 AM
Attachment dump-edited.patch [ 30248 ]
[ Permalink | « Hide ]
Jan Bartel added a comment - 30/Oct/07 05:28 PM

The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that?

thanks
Jan


[ Permalink | « Hide ]
David Yu added a comment - 30/Oct/07 10:28 PM

dump-final.patch attached.
filters "<" and ">" to (amp)lt; and (amp)gt;


David Yu made changes - 30/Oct/07 10:28 PM
Attachment dump-final.patch [ 30273 ]
David Yu made changes - 30/Oct/07 10:51 PM
Attachment dump-final.patch [ 30273 ]
David Yu made changes - 30/Oct/07 10:52 PM
Attachment dump-final.patch [ 30274 ]
[ Permalink | « Hide ]
Jan Bartel added a comment - 31/Oct/07 02:50 AM

You need to escape the outputting of the Http parameters, and also the cookies.

cheers
Jan


David Yu made changes - 31/Oct/07 03:36 AM
Attachment dump-final.patch [ 30274 ]
David Yu made changes - 31/Oct/07 03:36 AM
Attachment dump-final.patch [ 30277 ]
[ Permalink | « Hide ]
Greg Wilkins added a comment - 02/Nov/07 12:41 AM

I redid this so instead of inserting replace().replace() everywhere, there is a private notag
method that is called.

Also many of the getPathInfo and similar methods were not protected.


Greg Wilkins made changes - 02/Nov/07 12:41 AM
Status Open [ 1 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.