Next message: rudi carell: "JS injection methods"
Hi Cédric,
The following message was sent by =?iso-8859-1?Q?C=E9dric_Foll?= <follc@insa-rouen.fr> on Sun, 15 Jul 2001 00:57:04 +0200.
> I'm working on the security of a web site.
> This on has got JSP page under broad vision.
> In one page, I can pass in paramater via the GET method a variable
> which the content is displayed on the page
> Ex: http://serveur/page.jsp?affich=><bold>bonjour</bold><br>
> It will be displayed "bonjour" in bold.
> Is it a flaw ????
This problem is a typical one produced by no filtering the input
parameters. e.g. if :
- affich is a filename AND
- page.jsp you check for its existence AND
- you show an error messages indicating :
out.print( getParameter("affich") + "can't be read" )
you will have the "shown effect" (it's not a bug, it's a feature ;-).
> Are thy flaws in JSP pages which can allow to execute arbitrary code
> in server side like there are in CGI script wrote in perl ????
A similar problem can be found at http://www.securityfocus.com/bid/2982,
but this time the one that introduced the error is Tomcat
(http://jakarta.apache.org/tomcat/)
Hope this helps
--
Victor A. Rodriguez (http://www.bit-man.com.ar)
El bit Fantasma (Bit-Man)
"aMail: a lot of fun in a bunch of Perl scripts"
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30
: Mon Jul 16 2001 - 16:15:36 PDT