[#JETTY-452] Dump Servlet - prevent possible cross site scripting - CERT VU#237888

Jetty

Created: 25/Oct/07 09:44 PM Updated: 02/Nov/07 12:41 AM

Component/s:

Servlet

Affects Version/s:

6.1.5, 6.1.6rc0

Fix Version/s:

6.1.6rc1, 6.1.6

Time Tracking:

Not Specified

File Attachments:	1. dump-edited.patch (4 kB) 2. dump-final.patch (5 kB) 3. dump-servlet.patch (2 kB) 4. dump.patch (4 kB)
Environment:	all

Description

« Hide

There has been a "security" warning raised against the dump servlet namely that it allows cross site scripting attacks

All

Comments

Work Log

Change History

Sort Order:

[ Permalink | « Hide ]

David Yu added a comment - 25/Oct/07 10:31 PM

fix patch attached

[ Permalink | « Hide ]

David,

I think you need to catch a lot more cases. for example getPathInfo

[ Permalink | « Hide ]

David Yu added a comment - 29/Oct/07 02:37 AM

dump.patch attached... includes snoop.jsp fix

[ Permalink | « Hide ]

David Yu added a comment - 30/Oct/07 03:06 AM

attached dump-edited.patch for the NPE in snoop.jsp

[ Permalink | « Hide ]

Jan Bartel added a comment - 30/Oct/07 05:28 PM

The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that?

thanks
Jan

[ Permalink | « Hide ]

David Yu added a comment - 30/Oct/07 10:28 PM

dump-final.patch attached.
filters "<" and ">" to (amp)lt; and (amp)gt;

[ Permalink | « Hide ]

Jan Bartel added a comment - 31/Oct/07 02:50 AM

You need to escape the outputting of the Http parameters, and also the cookies.

cheers
Jan

[ Permalink | « Hide ]

I redid this so instead of inserting replace().replace() everywhere, there is a private notag
method that is called.

Also many of the getPathInfo and similar methods were not protected.