Bug 32953 - SERVLETAPI: XSS Issues
SERVLETAPI: XSS Issues
Status: RESOLVED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Webapps:Examples
Nightly Build
All All
: P1 blocker (vote)
: ---
Assigned To: Tomcat Developers Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2005-01-05 12:24 UTC by Mark Thomas
Modified: 2005-01-18 07:31 UTC (History)
0 users



Attachments
Patch for XSS issues (5.23 KB, patch)
2005-01-05 12:25 UTC, Mark Thomas
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Thomas 2005-01-05 12:24:34 UTC
A number of XSS issues have been reported against the examples.

I will attach a patch for jakarta-servletapi-5 that fixes the reported issues
(and a few others fo a similar nature).
Comment 1 Mark Thomas 2005-01-05 12:25:19 UTC
Created attachment 13896 [details]
Patch for XSS issues
Comment 2 lala 2005-01-10 03:38:09 UTC
Hi... Are you saying when user successfully login to tomcat Web Application 
Manager, they are able to control the tomcat?

Please advice me.. You advice is greatly appreciated. Thanks!

(In reply to comment #0)
> A number of XSS issues have been reported against the examples.
> I will attach a patch for jakarta-servletapi-5 that fixes the reported issues
> (and a few others fo a similar nature).

Comment 3 Mark Thomas 2005-01-10 20:05:43 UTC
Yes, but that has nothing to do with the XSS issue.

The Manager application is for managing Tomcat. Therefore, if someone has access
to the manager application they are managing (or controlling if you prefer) Tomcat.

XSS issues provide an attacker that controls one (untrusted) web site with a
mechanism for executing code on a client as if it was from another (trusted) web
site. Try a google for XSS for more info.
Comment 4 Jean-Francois Arcand 2005-01-18 16:31:49 UTC
Applied the patch:

Checking in jsr152/examples/jsp2/el/functions.jsp;
/home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/functions.jsp,v  <-- 
functions.jsp
new revision: 1.5; previous revision: 1.4
done
Checking in jsr152/examples/jsp2/el/implicit-objects.jsp;
/home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp,v 
<--  implicit-objects.jsp
new revision: 1.4; previous revision: 1.3
done
More commits to come...
Checking in jsr152/examples/jsp2/jspx/textRotate.jspx;
/home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/jspx/textRotate.jspx,v  <--
 textRotate.jspx
new revision: 1.4; previous revision: 1.3
done
More commits to come...
Checking in jsr152/examples/snp/snoop.jsp;
/home/cvs/jakarta-servletapi-5/jsr152/examples/snp/snoop.jsp,v  <--  snoop.jsp
new revision: 1.3; previous revision: 1.2
done