[jira] Updated: (GERONIMO-1540) Fix security vulnerability in jsp-examples
[ http://issues.apache.org/jira/browse/GERONIMO-1540?page=all ] Dave Colasurdo updated GERONIMO-1540: - Attachment: geronimo-servlet-examples-tomcat-5.5.15.war examples-cumulative.patch As suggested by Kevan, have also upgraded servlet-examples to the TC 5.5.15 level. Have included a *cumulative patch* (examples-cumulative.patch) that covers both upgrading servlet-examples to 5.5.15 and upgrading jsp-examples to 5.5.15 (plus security fix from head).. Have also attached the new servlet-example war file at the TC 5.5.15 with our custom changes.. Have given the two wars each a unique version number to differentiate the official "5.5.15" released version from the "5.5.15 plus head" version. Feel free to update the version info if you disagree.. Thanks -Dave- > Fix security vulnerability in jsp-examples > -- > > Key: GERONIMO-1540 > URL: http://issues.apache.org/jira/browse/GERONIMO-1540 > Project: Geronimo > Type: Bug > Components: sample apps > Versions: 1.0.1, 1.1 > Reporter: Dave Colasurdo > Assignee: Kevan Miller > Attachments: examples-cumulative.patch, > geronimo-jsp-examples-tomcat-5.5.15-plus.war, > geronimo-servlet-examples-tomcat-5.5.15.war, jsp-examples.patch > > Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat > jsp-examples that are included in Geronimo. It fails on both Jetty and > Tomcat. > This can be reproduced with the following urls: > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert('Gotcha') > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert(document.cookie) > This JIRA does not address a related problem in the admin console. That > problem is addressed in GERONIMO-1474. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1540) Fix security vulnerability in jsp-examples
[ http://issues.apache.org/jira/browse/GERONIMO-1540?page=all ] Dave Colasurdo updated GERONIMO-1540: - Geronimo Info: [Patch Available] > Fix security vulnerability in jsp-examples > -- > > Key: GERONIMO-1540 > URL: http://issues.apache.org/jira/browse/GERONIMO-1540 > Project: Geronimo > Type: Bug > Components: sample apps > Versions: 1.0.1, 1.1 > Reporter: Dave Colasurdo > Attachments: geronimo-jsp-examples-tomcat-5.5.15-plus.war, jsp-examples.patch > > Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat > jsp-examples that are included in Geronimo. It fails on both Jetty and > Tomcat. > This can be reproduced with the following urls: > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert('Gotcha') > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert(document.cookie) > This JIRA does not address a related problem in the admin console. That > problem is addressed in GERONIMO-1474. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1540) Fix security vulnerability in jsp-examples
[ http://issues.apache.org/jira/browse/GERONIMO-1540?page=all ] Dave Colasurdo updated GERONIMO-1540: - Attachment: jsp-examples.patch geronimo-jsp-examples-tomcat-5.5.15-plus.war > Fix security vulnerability in jsp-examples > -- > > Key: GERONIMO-1540 > URL: http://issues.apache.org/jira/browse/GERONIMO-1540 > Project: Geronimo > Type: Bug > Components: sample apps > Versions: 1.0.1, 1.1 > Reporter: Dave Colasurdo > Attachments: geronimo-jsp-examples-tomcat-5.5.15-plus.war, jsp-examples.patch > > Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat > jsp-examples that are included in Geronimo. It fails on both Jetty and > Tomcat. > This can be reproduced with the following urls: > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert('Gotcha') > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert(document.cookie) > This JIRA does not address a related problem in the admin console. That > problem is addressed in GERONIMO-1474. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1540) Fix security vulnerability in jsp-examples
[ http://issues.apache.org/jira/browse/GERONIMO-1540?page=all ] Dave Colasurdo updated GERONIMO-1540: - Component: sample apps Version: 1.0.1 1.1 > Fix security vulnerability in jsp-examples > -- > > Key: GERONIMO-1540 > URL: http://issues.apache.org/jira/browse/GERONIMO-1540 > Project: Geronimo > Type: Bug > Components: sample apps > Versions: 1.0.1, 1.1 > Reporter: Dave Colasurdo > > Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat > jsp-examples that are included in Geronimo. It fails on both Jetty and > Tomcat. > This can be reproduced with the following urls: > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert('Gotcha') > http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/>alert(document.cookie) > This JIRA does not address a related problem in the admin console. That > problem is addressed in GERONIMO-1474. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira