Dump Servlet - prevent possible cross site scripting - CERT VU#237888

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 6.1.5, 6.1.6rc0
Fix Version/s: 6.1.6rc1, 6.1.6
Component/s: Servlet
Labels:
None
Environment:
all

Number of attachments :
4

Description

There has been a "security" warning raised against the dump servlet namely that it allows cross site scripting attacks

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

dump.patch

29/Oct/07 2:37 AM

4 kB

David Yu
dump-edited.patch

30/Oct/07 3:06 AM

4 kB

David Yu
dump-final.patch

31/Oct/07 3:36 AM

5 kB

David Yu
dump-servlet.patch

25/Oct/07 10:31 PM

2 kB

David Yu

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

David Yu added a comment - 25/Oct/07 10:31 PM

fix patch attached

Show

David Yu added a comment - 25/Oct/07 10:31 PM fix patch attached

Hide

Permalink

Greg Wilkins added a comment - 28/Oct/07 6:42 PM

David,

I think you need to catch a lot more cases. for example getPathInfo

Show

Greg Wilkins added a comment - 28/Oct/07 6:42 PM David, I think you need to catch a lot more cases. for example getPathInfo

Hide

Permalink

David Yu added a comment - 29/Oct/07 2:37 AM

dump.patch attached... includes snoop.jsp fix

Show

David Yu added a comment - 29/Oct/07 2:37 AM dump.patch attached... includes snoop.jsp fix

Hide

Permalink

David Yu added a comment - 30/Oct/07 3:06 AM

attached dump-edited.patch for the NPE in snoop.jsp

Show

David Yu added a comment - 30/Oct/07 3:06 AM attached dump-edited.patch for the NPE in snoop.jsp

Hide

Permalink

Jan Bartel added a comment - 30/Oct/07 5:28 PM

The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that?

thanks
Jan

Show

Jan Bartel added a comment - 30/Oct/07 5:28 PM The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that? thanks Jan

Hide

Permalink

David Yu added a comment - 30/Oct/07 10:28 PM

dump-final.patch attached.
filters "<" and ">" to (amp)lt; and (amp)gt;

Show

David Yu added a comment - 30/Oct/07 10:28 PM dump-final.patch attached. filters "<" and ">" to (amp)lt; and (amp)gt;

Hide

Permalink

Jan Bartel added a comment - 31/Oct/07 2:50 AM

You need to escape the outputting of the Http parameters, and also the cookies.

cheers
Jan

Show

Jan Bartel added a comment - 31/Oct/07 2:50 AM You need to escape the outputting of the Http parameters, and also the cookies. cheers Jan

Hide

Permalink

Greg Wilkins added a comment - 02/Nov/07 12:41 AM

I redid this so instead of inserting replace().replace() everywhere, there is a private notag
method that is called.

Also many of the getPathInfo and similar methods were not protected.

Show

Greg Wilkins added a comment - 02/Nov/07 12:41 AM I redid this so instead of inserting replace().replace() everywhere, there is a private notag method that is called. Also many of the getPathInfo and similar methods were not protected.

People

Assignee:

David Yu

Reporter:

David Yu

Vote (0)

Watch (0)

Dates

Created:

25/Oct/07 9:44 PM

Updated:

02/Nov/07 12:41 AM

Resolved:

02/Nov/07 12:41 AM