Author: jfrederic.clere(a)jboss.com Date: 2011-11-24 08:56:17 -0500 (Thu, 24 Nov 2011) New Revision: 1877 Modified: branches/2.1.x/java/org/apache/catalina/manager/JspHelper.java branches/2.1.x/webapps/docs/changelog.xml branches/2.1.x/webapps/manager/sessionDetail.jsp branches/2.1.x/webapps/manager/sessionsList.jsp Log: Fix CVE-2010-4172. Multiple XSS in Manager web application Modified: branches/2.1.x/java/org/apache/catalina/manager/JspHelper.java =================================================================== --- branches/2.1.x/java/org/apache/catalina/manager/JspHelper.java 2011-11-24 12:15:14 UTC (rev 1876) +++ branches/2.1.x/java/org/apache/catalina/manager/JspHelper.java 2011-11-24 13:56:17 UTC (rev 1877) @@ -58,7 +58,7 @@ } private static String localeToString(Locale locale) { if (locale != null) { - return locale.toString();//locale.getDisplayName(); + return escapeXml(locale.toString());//locale.getDisplayName(); } else { return ""; } Modified: branches/2.1.x/webapps/docs/changelog.xml =================================================================== --- branches/2.1.x/webapps/docs/changelog.xml 2011-11-24 12:15:14 UTC (rev 1876) +++ branches/2.1.x/webapps/docs/changelog.xml 2011-11-24 13:56:17 UTC (rev 1877) @@ -35,6 +35,9 @@ <fix> <jira>JBPAPP-7267</jira> ParserUtils uses JAXP in a non-modular classloading compatible way (jfclere) </fix> + <fix> + CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko) + </fix> </changelog> </subsection> </section> Modified: branches/2.1.x/webapps/manager/sessionDetail.jsp =================================================================== --- branches/2.1.x/webapps/manager/sessionDetail.jsp 2011-11-24 12:15:14 UTC (rev 1876) +++ branches/2.1.x/webapps/manager/sessionDetail.jsp 2011-11-24 13:56:17 UTC (rev 1877) @@ -14,8 +14,10 @@ <% String path = (String) request.getAttribute("path"); Session currentSession = (Session)request.getAttribute("currentSession"); HttpSession currentHttpSession = currentSession.getSession(); - String currentSessionId = currentSession.getId(); - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString(); + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); + String submitUrl = JspHelper.escapeXml(response.encodeURL( + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + + "?path=" + path)); %> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/> @@ -29,7 +31,7 @@ <title>Sessions Administration: details for <%= currentSessionId %></title> </head> <body> -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1> +<h1>Details for Session <%= currentSessionId %></h1> <table style="text-align: left;" border="0"> <tr> @@ -104,7 +106,7 @@ String attributeName = (String) attributeNamesEnumeration.nextElement(); %> <tr> - <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td> + <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action" value="<%= JspHelper.escapeXml(attributeName) %>" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td> <td><%= JspHelper.escapeXml(attributeName) %></td> <td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td> </tr> Modified: branches/2.1.x/webapps/manager/sessionsList.jsp =================================================================== --- branches/2.1.x/webapps/manager/sessionsList.jsp 2011-11-24 12:15:14 UTC (rev 1876) +++ branches/2.1.x/webapps/manager/sessionsList.jsp 2011-11-24 13:56:17 UTC (rev 1877) @@ -10,7 +10,9 @@ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <% String path = (String) request.getAttribute("path"); - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().append("?path=").append(path).toString(); + String submitUrl = JspHelper.escapeXml(response.encodeURL( + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + + "?path=" + path)); Collection activeSessions = (Collection) request.getAttribute("activeSessions"); %> <head> @@ -22,10 +24,10 @@ <meta name="author" content="Cedrik LIME"/> <meta name="copyright" content="copyright 2005-2007 the Apache Software Foundation"/> <meta name="robots" content="noindex,nofollow,noarchive"/> - <title>Sessions Administration for <%= path %></title> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title> </head> <body> -<h1>Sessions Administration for <%= path %></h1> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1> <p>Tips:</p> <ul> @@ -39,13 +41,13 @@ <form action="<%= submitUrl %>" method="post" id="sessionsForm"> <fieldset><legend>Active HttpSessions informations</legend> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/> - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/> <% String order = (String) request.getAttribute("order"); if (order == null || "".equals(order)) { order = "ASC"; } %> - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/> <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/> <table border="1" cellpadding="2" cellspacing="2" width="100%"> @@ -79,11 +81,11 @@ <% Iterator iter = activeSessions.iterator(); while (iter.hasNext()) { Session currentSession = (Session) iter.next(); - String currentSessionId = currentSession.getId(); + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); %> <tr> <td> -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>" target="_new"><%= JspHelper.escapeXml(currentSessionId) %></a> +<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>" target="_new"><%= currentSessionId %></a> </td> <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td> <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td> @@ -119,4 +121,4 @@ </div--%> </body> -</html> \ No newline at end of file +</html>