[ http://issues.apache.org/jira/browse/GERONIMO-1540?page=comments#action_12364012 ]
Dave Colasurdo commented on GERONIMO-1540: ------------------------------------------ The original warfile that I've attached seems to work fine on my machine (and another) though appears to be corrupted when I re-download it from JIRA. It seems the JIRA system is having problems and I am receiving lots of garbled info when viewing items. Not yet certain if the two issues are related though please hold off on publishing the war until the issue is resolved. Thanks.. -Dave- > Fix security vulnerability in jsp-examples > ------------------------------------------ > > Key: GERONIMO-1540 > URL: http://issues.apache.org/jira/browse/GERONIMO-1540 > Project: Geronimo > Type: Bug > Components: sample apps > Versions: 1.0.1, 1.1 > Reporter: Dave Colasurdo > Attachments: geronimo-jsp-examples-tomcat-5.5.15-plus.war, jsp-examples.patch > > Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat > jsp-examples that are included in Geronimo. It fails on both Jetty and > Tomcat. > This can be reproduced with the following urls: > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script> > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script> > This JIRA does not address a related problem in the admin console. That > problem is addressed in GERONIMO-1474. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira