Hi Cédric, The following message was sent by =?iso-8859-1?Q?C=E9dric_Foll?= <follc@insa-rouen.fr> on Sun, 15 Jul 2001 00:57:04 +0200. > I'm working on the security of a web site. > This on has got JSP page under broad vision. > In one page, I can pass in paramater via the GET method a variable > which the content is displayed on the page > Ex: http://serveur/page.jsp?affich=
><bold>bonjour</bold><br> > It will be displayed "bonjour" in bold. > Is it a flaw ???? This problem is a typical one produced by no filtering the input parameters. e.g. if : - affich is a filename AND - page.jsp you check for its existence AND - you show an error messages indicating : out.print( getParameter("affich") + "can't be read" ) you will have the "shown effect" (it's not a bug, it's a feature ;-). > Are thy flaws in JSP pages which can allow to execute arbitrary code > in server side like there are in CGI script wrote in perl ???? A similar problem can be found at http://www.securityfocus.com/bid/2982, but this time the one that introduced the error is Tomcat (http://jakarta.apache.org/tomcat/) Hope this helps -- Victor A. Rodriguez (http://www.bit-man.com.ar) El bit Fantasma (Bit-Man) "aMail: a lot of fun in a bunch of Perl scripts" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 16:15:36 PDT