You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/05 18:53:41 UTC
DO NOT REPLY [Bug 17685] New: -
Cross site scripting issues in most of the example webapps.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17685>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17685
Cross site scripting issues in most of the example webapps.
Summary: Cross site scripting issues in most of the example
webapps.
Product: Tomcat 4
Version: 4.0 Beta 1
Platform: All
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: Webapps:Examples
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: rauger@spidynamics.com
While doing an audit of Sun one application server I noticed they provided a few
example web applications which actually where written by apache. I found that
the following scripts suffer from cross site scripting attacks. Below is a list
of the script and attack string. (Note: these paths are related to the Sun one
application server 7 install path. Apache paths may vary) Anything that says "in
form input fields" instead of "Exploit" is required to have a POST request made.
Anything that says "<XSS-HERE>" means this is the portion in the url an attacker
could inject malicious content.
(Note: More information below attack strings)
A. SessionExample Servlet
(Exploit:
http://127.0.0.1/webapps-simple/servlet/SessionExample?dataname=<XSS-HERE>&datavalue=<XSS-HERE>)
B. CookieExample Servlet
XSS in form input fields.
(Script: http://127.0.0.1/webapps-simple/servlet/CookieExample)
(SRC: http://127.0.0.1/webapps-simple/servlets/cookies.html)
C. RequestParamExample Servlet
XSS in form input fields.
(Script: http://127.0.0.1/webapps-simple/servlet/RequestParamExample)
(SRC: http://127.0.0.1/webapps-simple/servlets/reqparams.html)
D. RequestHeaderExample Servlet
Referer header XSS.
(Script: http://127.0.0.1/webapps-simple/servlet/RequestHeaderExample)
(SRC: http://127.0.0.1/webapps-simple/servlets/reqheaders.html)
E. Snoop.jsp
User-Agent based cross site scripting flaw.
(Script: http://127.0.0.1/webapps-simple/jsp/snp/snoop.jsp)
(SRC: http://127.0.0.1/webapps-simple/jsp/snp/snoop.txt)
F. carts.jsp
Form tampering allows XSS
(Form: http://127.0.0.1/webapps-simple/jsp/sessions/carts.html)
(SRC: http://127.0.0.1/webapps-simple/jsp/sessions/carts.txt)
(Script: http://127.0.0.1/webapps-simple/jsp/sessions/carts.jsp)
(Exploit:
http://127.0.0.1/webapps-simple/jsp/sessions/carts.jsp?item=<XSS-HERE>&submit=add)
G. checkresult.jsp
(FORM: http://127.0.0.1/webapps-simple/jsp/checkbox/check.html)
(src: http://127.0.0.1/webapps-simple/jsp/checkbox/checkresult.txt)
(Exploit:
http://127.0.0.1/webapps-simple/jsp/checkbox/checkresult.jsp?fruit=<XSS-HERE>&fruit=<XSS-HERE>&submit=Submit
H. cal1.jsp and cal2.jsp
XSS in login form
(Form: http://127.0.0.1/webapps-simple/jsp/cal/login.html)
(Script: http://127.0.0.1/webapps-simple/jsp/cal/cal1.jsp)
(SRC: http://127.0.0.1/webapps-simple/jsp/cal/cal1.txt)
XSS in time/appointment portion
(Script: http://127.0.0.1/webapps-simple/jsp/cal/cal2.jsp)
(SRC: http://127.0.0.1/webapps-simple/jsp/cal/cal2.txt)
(Exploit: http://127.0.0.1/webapps-simple/jsp/cal/cal2.jsp?time=<XSS-HERE>)
While looking in your cvs tree I noticed many of these files have not been
updated in awhile which means that they may be vulnerable. I did notice one of
the scripts listed above "cal1.jsp" was recently patched against a few cross
site scripting issues at
"http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-4.0/webapps/examples/jsp/cal/cal1.jsp"
I agree with the statement "Obviously, the examples webapp should be removed
before putting Tomcat in production anyway.", but sometimes people don't use
common sense, and for this reason I have filled out this bug report. I am
not aware of which versions of tomcat come included with these issues since I
have not done any type of tomcat audit. If you have any questions please drop me
an email.
- Robert
SPILABS
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org