[原文]Multiple cross-site scripting (XSS) vulnerabilities in example scripts in Caucho Technology Resin 2.0 through 2.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) env.jsp, (2) form.jsp, (3) session.jsp, (4) the move parameter to tictactoe.jsp, or the (5) name or (6) comment fields to guestbook.jsp.
It has been reported that Caucho Resin is prone to multiple HTML Injection and cross-site scripting vulnerabilities in various scripts that may allow a remote attacker to cause hostile HTML or script code to be rendered in the browser of a user who follows a malicious link supplied by the attacker.
The affected scripts include env.jsp, form.jsp, session.jsp, and tictactoe.jsp. The 'name' and 'comment' fields of guestbook.jsp have been reported to be vulnerable to HTML injection. An attacker may exploit this vulnerability to execute arbitrary HTML and script code in the browser of an unsuspecting user. Exploitation may also allow attackers to inject hostile HTML and script code into the sample guestbook.
Successful exploitation of these issues may allow an attacker to steal cookie-based credentials. Other attacks may also be possible.
Caucho Resin version 2.1 and prior have been reported to be prone to this issue, however other versions may be affected as well.
Resin sample scripts contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input upon submission to the form.jsp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 3.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): remove the form.jsp script if it is not needed