You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/05 18:53:41 UTC

DO NOT REPLY [Bug 17685] New: - Cross site scripting issues in most of the example webapps.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17685>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17685

Cross site scripting issues in most of the example webapps.

           Summary: Cross site scripting issues in most of the example
                    webapps.
           Product: Tomcat 4
           Version: 4.0 Beta 1
          Platform: All
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Webapps:Examples
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: rauger@spidynamics.com


While doing an audit of Sun one application server I noticed they provided a few
example web applications which actually where written by apache. I found that
the following scripts suffer from cross site scripting attacks. Below is a list
of the script and attack string. (Note: these paths are related to the Sun one
application server 7 install path. Apache paths may vary) Anything that says "in
form input fields" instead of "Exploit" is required to have a POST request made.
Anything that says "<XSS-HERE>" means this is the portion in the url an attacker
could inject malicious content. 

(Note: More information below attack strings)

A. SessionExample Servlet

(Exploit:
http://127.0.0.1/webapps-simple/servlet/SessionExample?dataname=<XSS-HERE>&datavalue=<XSS-HERE>)

B. CookieExample Servlet

XSS in form input fields.

(Script: http://127.0.0.1/webapps-simple/servlet/CookieExample)
(SRC: http://127.0.0.1/webapps-simple/servlets/cookies.html)


C. RequestParamExample Servlet

XSS in form input fields.

(Script: http://127.0.0.1/webapps-simple/servlet/RequestParamExample)
(SRC: http://127.0.0.1/webapps-simple/servlets/reqparams.html)



D. RequestHeaderExample Servlet

Referer header XSS.

(Script: http://127.0.0.1/webapps-simple/servlet/RequestHeaderExample)
(SRC: http://127.0.0.1/webapps-simple/servlets/reqheaders.html)



E. Snoop.jsp

User-Agent based cross site scripting flaw.

(Script: http://127.0.0.1/webapps-simple/jsp/snp/snoop.jsp)
(SRC: http://127.0.0.1/webapps-simple/jsp/snp/snoop.txt)


F. carts.jsp

Form tampering allows XSS

(Form: http://127.0.0.1/webapps-simple/jsp/sessions/carts.html)
(SRC: http://127.0.0.1/webapps-simple/jsp/sessions/carts.txt)
(Script: http://127.0.0.1/webapps-simple/jsp/sessions/carts.jsp)
(Exploit:
http://127.0.0.1/webapps-simple/jsp/sessions/carts.jsp?item=<XSS-HERE>&submit=add) 



G. checkresult.jsp


(FORM: http://127.0.0.1/webapps-simple/jsp/checkbox/check.html)
(src: http://127.0.0.1/webapps-simple/jsp/checkbox/checkresult.txt)
(Exploit:
http://127.0.0.1/webapps-simple/jsp/checkbox/checkresult.jsp?fruit=<XSS-HERE>&fruit=<XSS-HERE>&submit=Submit



H. cal1.jsp and cal2.jsp


XSS in login form

(Form: http://127.0.0.1/webapps-simple/jsp/cal/login.html)
(Script: http://127.0.0.1/webapps-simple/jsp/cal/cal1.jsp)
(SRC: http://127.0.0.1/webapps-simple/jsp/cal/cal1.txt)


XSS in time/appointment portion

(Script: http://127.0.0.1/webapps-simple/jsp/cal/cal2.jsp)
(SRC: http://127.0.0.1/webapps-simple/jsp/cal/cal2.txt)
(Exploit: http://127.0.0.1/webapps-simple/jsp/cal/cal2.jsp?time=<XSS-HERE>)

While looking in your cvs tree I noticed many of these files have not been
updated in awhile which means that they may be vulnerable. I did notice one of
the scripts listed above "cal1.jsp" was recently patched against a few cross
site scripting issues at
"http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-4.0/webapps/examples/jsp/cal/cal1.jsp"

 I agree with the statement "Obviously, the examples webapp should be removed
before putting Tomcat in production anyway.", but sometimes people don't use
common sense, and for this reason I have filled out this bug report. I am
not aware of which versions of tomcat come included with these issues since I
have not done any type of tomcat audit. If you have any questions please drop me
an email. 

- Robert
SPILABS

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org