geronimo_css.txt

`Apache Geronimo 1.0 - CSS and persistent HTML-Injection vulnerabilities  
========================================================================  
  
Product:  
========  
  
Apache Geronimo is the J2EE server project of the Apache Software Foundation.  
  
Version:  
========  
  
Apache Geronimo 1.0, Jetty 5.1.9   
  
Vulnerabilities  
===============  
  
The first one is a classical cross-site scripting in the  
jsp-examples:  
  
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>  
  
The second one is a persistant html-/script-Injection vulnerability  
which is a little more critical than the first one:  
  
The Web-Access-Log viewer does no filtering for html-/script-tags, and  
therefore allows attacks against the user of the admin-console.  
  
For example the request:  
  
http://10.10.10.10:8080/script-that-dont-has-to-exist.jsp?foobar="/><script>alert(document.cookie)</script>  
  
is stored without sanitizing inside the logfile and the script part is  
executed, if the geronimo-admin is accessing the web-access-log-viewer.  
An example attack can steal the current session-id of the admin, which  
is stored as a cookie.  
  
Vendor:  
=======  
  
URL: http://geronimo.apache.org  
Bug: http://issues.apache.org/jira/browse/GERONIMO-1474  
Fix: Upgrade to version 1.0.1 or 1.1  
  
Discovered  
==========  
  
Oliver Karow  
www.oliverkarow.de/research/geronimo_css.txt  
13.01.2005  
  
`