|Summary:||SERVLETAPI: XSS Issues|
|Product:||Tomcat 5||Reporter:||Mark Thomas <markt>|
|Component:||Webapps:Examples||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||Patch for XSS issues|
Description Mark Thomas 2005-01-05 12:24:34 UTC
A number of XSS issues have been reported against the examples. I will attach a patch for jakarta-servletapi-5 that fixes the reported issues (and a few others fo a similar nature).
Comment 1 Mark Thomas 2005-01-05 12:25:19 UTC
Created attachment 13896 [details] Patch for XSS issues
Comment 2 lala 2005-01-10 03:38:09 UTC
Hi... Are you saying when user successfully login to tomcat Web Application Manager, they are able to control the tomcat? Please advice me.. You advice is greatly appreciated. Thanks! (In reply to comment #0) > A number of XSS issues have been reported against the examples. > I will attach a patch for jakarta-servletapi-5 that fixes the reported issues > (and a few others fo a similar nature).
Comment 3 Mark Thomas 2005-01-10 20:05:43 UTC
Yes, but that has nothing to do with the XSS issue. The Manager application is for managing Tomcat. Therefore, if someone has access to the manager application they are managing (or controlling if you prefer) Tomcat. XSS issues provide an attacker that controls one (untrusted) web site with a mechanism for executing code on a client as if it was from another (trusted) web site. Try a google for XSS for more info.
Comment 4 Jean-Francois Arcand 2005-01-18 16:31:49 UTC
Applied the patch: Checking in jsr152/examples/jsp2/el/functions.jsp; /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/functions.jsp,v <-- functions.jsp new revision: 1.5; previous revision: 1.4 done Checking in jsr152/examples/jsp2/el/implicit-objects.jsp; /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp,v <-- implicit-objects.jsp new revision: 1.4; previous revision: 1.3 done More commits to come... Checking in jsr152/examples/jsp2/jspx/textRotate.jspx; /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/jspx/textRotate.jspx,v <-- textRotate.jspx new revision: 1.4; previous revision: 1.3 done More commits to come... Checking in jsr152/examples/snp/snoop.jsp; /home/cvs/jakarta-servletapi-5/jsr152/examples/snp/snoop.jsp,v <-- snoop.jsp new revision: 1.3; previous revision: 1.2 done