Re: Pass commande via URL with JSP

["Victor A. Rodriguez" <victor () bit-man com ar>]

Hi Cédric,

The following message was sent by =?iso-8859-1?Q?C=E9dric_Foll?= <follc () insa-rouen fr> on Sun, 15 Jul 2001 00:57:04 
+0200.

> I'm working on the security of a web site.
> This on has got JSP page under broad vision.
> In one page, I can pass in paramater via the GET method a variable 
> which the content is displayed on the page
> Ex: http://serveur/page.jsp?affich=<br><bold>bonjour</bold><br>
>     It will be displayed "bonjour" in bold.
> Is it a flaw ????

This problem is a typical one produced by no filtering the input
parameters. e.g. if :

- affich is a filename AND
- page.jsp you check for its existence AND
- you show an error messages indicating :
  out.print( getParameter("affich") + "can't be read" )

you will have the "shown effect" (it's not a bug, it's a feature ;-). 


> Are thy flaws in JSP pages which can allow to execute arbitrary code
> in server side like there are in CGI script wrote in perl ????

A similar problem can be found at http://www.securityfocus.com/bid/2982,
but this time the one that introduced the error is Tomcat
(http://jakarta.apache.org/tomcat/)

Hope this helps
--
Victor A. Rodriguez (http://www.bit-man.com.ar)
El bit Fantasma (Bit-Man)
"aMail: a lot of fun in a bunch of Perl scripts"


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/