Re: Fw: geronimo 1.0 - CSS vulnerabilities - response from Tomcat team

Wed, 18 Jan 2006 05:46:34 -0800

Concerning the CSS vulnerability, attached is my correspondence with the Tomcat team.. 

****My original email******

-------- Original Message --------
Subject: Possible Security exposure with Tomcat 5.5.15-beta
Date: Tue, 17 Jan 2006 14:46:06 -0500
From: Dave Colasurdo <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],  [EMAIL PROTECTED]
CC: Kevan Miller <[EMAIL PROTECTED]>,  Jeff Genender
<[EMAIL PROTECTED]>

It appears a security exposure was detected in Geronimo v1 that seems to
be tracked back to to the Tomcat Container/Tomcat jsp-examples..

Specifically, hitting the following url seems to expose a vulnerability..

http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

It seems the vulnerability exists in Tomcat versions (5.5.9, 5.5.12 and
5.5.15-beta)..  though is not present in Tomcat 5.5.7..

BTW, It seems this problem was present prior to TC 5.5.7 and was fixed
in 5.5.7..  Perhaps it somehow was regressed.

Is a fix for this problem something that would be considered for
inclusion in Tomcat 5.5.15?  If so, would the fix be to the overall
container or to jsp-examples?

Thanks
-Dave-

*********Clarification email**********

-------- Original Message --------
Subject: [Fwd: Possible Security exposure with Tomcat 5.5.15-beta]
Date: Tue, 17 Jan 2006 16:08:29 -0500
From: Dave Colasurdo <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],  [EMAIL PROTECTED]
CC: [EMAIL PROTECTED],  [EMAIL PROTECTED]

One small correction.  I am seeing the same exposure in Tomcat 5.5.7..

-Dave-


*******The response from the Tomcat team**********

Dave,
Thank you for reporting this security issue.  We have analyzed the
issue and concluded that:

- It is only present in this example JSP,
- We already recommend users remove the examples and other unnecessary
webapps when they go to production, a fairly common procedure which
acts as a workaround for this problem,
- The issue was not fixed in 5.5.7, as you noted later, so this is not
a regression bug.  Similar issues were indeed fixed in 5.5.7, but not
this one,
- So we do not think the issue is critical.

The issue has been fixed in SVN and the fix will be available starting
with release 5.5.16.  However, because we don't think it's critical,
and because the workaround is already part of the common production
deployment scenario, we still plan to call 5.5.15 a stable release.

Thanks again,

Yoav (on behalf of the Tomcat team)

Reply via email to