Re: JSP:includes parameter passing vulnerability

2010-09-16 Thread Michael Coates
Chris, Thanks for looking into this situation. I agree with your ultimate conclusion of user/developer education. There is a strong push within security education programs to always treat user controlled data as dangerous until validated/encoded. We just need to remember in JSPs that anytime the

Re: JSP:includes parameter passing vulnerability

2010-09-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, On 9/15/2010 6:33 PM, Michael Coates wrote: > On 9/15/10 2:46 PM, Christopher Schultz wrote: >> >> I think what you're really trying to say is "it's easy to overlook the >> fact that uses URL parameters to pass data, and that an >> include i

Re: JSP:includes parameter passing vulnerability

2010-09-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 9/15/2010 6:21 PM, Martin Gainty wrote: > > Mike- > check to make sure your page="mycommon.jsp" > > > Not useful information: tags must be well-formed, and wouldn't even compile if the end tag or short-form of the tag weren't being

Re: JSP:includes parameter passing vulnerability

2010-09-15 Thread Michael Coates
Chris, Thanks for your detailed response. It is very helpful. I've got some responses inline below. On 9/15/10 2:46 PM, Christopher Schultz wrote: > Michael, > > On 9/15/2010 3:05 PM, Michael Coates wrote: > > > http://michael-coates.blogspot.com/2010/09/danger-of-jsp-includes-and-parameter.html

RE: JSP:includes parameter passing vulnerability

2010-09-15 Thread Martin Gainty
tion, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Wed, 15 Sep 2010 13:18:39 -0700 > From: michael.coa...@owasp.org > To: users@tomcat.apache.org > Subject: Re: JSP:includes parameter passing vulnerability > > I agree that in the current

Re: JSP:includes parameter passing vulnerability

2010-09-15 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, On 9/15/2010 3:05 PM, Michael Coates wrote: > http://michael-coates.blogspot.com/2010/09/danger-of-jsp-includes-and-parameter.html Can I ask this stupid question: why are you grabbing data from the request using a variable parameter name? (

Re: JSP:includes parameter passing vulnerability

2010-09-15 Thread Michael Coates
I agree that in the current design a developer can never trust the request parameter. I guess what I'm arguing for is the ability for a developer to decide that a parameter will always come from another jsp and never come from the URL. However, even in this scenario its possible that the origina

Re: JSP:includes parameter passing vulnerability

2010-09-15 Thread Mikolaj Rydzewski
Michael Coates wrote: It seems to me that the method used to request parameters from an included jsp file should not "fail over" to the URL if the jsp:include does not provide the parameter. IMO that's incorrect assumption, that one can skip security consideration when using JPS's in 'safe wa