Jetty
  1. Jetty
  2. JETTY-452

Dump Servlet - prevent possible cross site scripting - CERT VU#237888

    Details

    • Type: Improvement Improvement
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.1.5, 6.1.6rc0
    • Fix Version/s: 6.1.6rc1, 6.1.6
    • Component/s: Servlet
    • Labels:
      None
    • Environment:
      all
    • Number of attachments :
      4

      Description

      There has been a "security" warning raised against the dump servlet namely that it allows cross site scripting attacks

      1. dump.patch
        4 kB
        David Yu
      2. dump-edited.patch
        4 kB
        David Yu
      3. dump-final.patch
        5 kB
        David Yu
      4. dump-servlet.patch
        2 kB
        David Yu

        Activity

        Hide
        David Yu added a comment -

        fix patch attached

        Show
        David Yu added a comment - fix patch attached
        Hide
        Greg Wilkins added a comment -

        David,

        I think you need to catch a lot more cases. for example getPathInfo

        Show
        Greg Wilkins added a comment - David, I think you need to catch a lot more cases. for example getPathInfo
        Hide
        David Yu added a comment -

        dump.patch attached... includes snoop.jsp fix

        Show
        David Yu added a comment - dump.patch attached... includes snoop.jsp fix
        Hide
        David Yu added a comment -

        attached dump-edited.patch for the NPE in snoop.jsp

        Show
        David Yu added a comment - attached dump-edited.patch for the NPE in snoop.jsp
        Hide
        Jan Bartel added a comment -

        The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that?

        thanks
        Jan

        Show
        Jan Bartel added a comment - The fix for snoop.jsp causes it to incorrectly format the page with mismatched or missing markup tags - can you look into that? thanks Jan
        Hide
        David Yu added a comment -

        dump-final.patch attached.
        filters "<" and ">" to (amp)lt; and (amp)gt;

        Show
        David Yu added a comment - dump-final.patch attached. filters "<" and ">" to (amp)lt; and (amp)gt;
        Hide
        Jan Bartel added a comment -

        You need to escape the outputting of the Http parameters, and also the cookies.

        cheers
        Jan

        Show
        Jan Bartel added a comment - You need to escape the outputting of the Http parameters, and also the cookies. cheers Jan
        Hide
        Greg Wilkins added a comment -

        I redid this so instead of inserting replace().replace() everywhere, there is a private notag
        method that is called.

        Also many of the getPathInfo and similar methods were not protected.

        Show
        Greg Wilkins added a comment - I redid this so instead of inserting replace().replace() everywhere, there is a private notag method that is called. Also many of the getPathInfo and similar methods were not protected.

          People

          • Assignee:
            David Yu
            Reporter:
            David Yu
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: