You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Remy Maucherat <re...@apache.org> on 2005/01/03 16:55:37 UTC
Re: Fwd: XSS in Jakarta Tomcat 5.5.6
Erik Abele wrote:
> not acked, just fwd'ing...
The issues mentioned in this email are very minor so -> tomcat-dev.
> Begin forwarded message:
>
>> From: "Oliver Karow" <Ol...@gmx.de>
>> Date: 3. Januar 2005 12:29:12 MEZ
>> To: security@apache.org
>> Subject: XSS in Jakarta Tomcat 5.5.6
>>
>> Hello and a happy new year,
>>
>> during coding a little webapp-security-scanner, i found
>> cross-site-scripting
>> vulnerabilities in
>> Apache Tomcat/5.5.6 (JVM Version: 1.5.0_01-b08 (Sun
>> microsystems),running on
>> Windows 2000)
>>
>> First one needs
>> authentication:
>>
>> http://192.168.0.23:8080/manager/html/<script>alert("Hallo")</script>
>> http://192.168.0.23:8080/manager/html/stop?
>> path=<script>alert("Hallo")</script>
>> http://192.168.0.23:8080/manager/html/start?
>> path=<script>alert("Hallo")</script>
This is a non issue, so I'd say we won't fix that. It's always possible
that someone would fix it though, if they care ;)
>> Second one works without authentication, but should not be that easy to
>> exploit:
>>
>> Telnet to port 8080 and paste the following:
>>
>> <script>alert("Hallo")</script> /jsp-examples/snp/snoop.jsp HTTP/1.0
We have decided to fix XSS in the examples web applications (which
should obviously be removed from production servers), so I assume we
will fix this.
>> Because i'm not very familiar with Tomcat, i want to ask you, to
>> verify the
>> existence of this
>> bug. I looked at securityfocus.com to verify the existence of this
>> bug, but
>> could not find anything regarding
>> this version of Tomcat.
>>
>> If you have any questions, feel free to contact me!
>>
>> Best regards,
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
[PATCH jakarta-servletapi-5] Re: Fwd: XSS in Jakarta Tomcat 5.5.6
Posted by Mark Thomas <ma...@apache.org>.
Patches to fix the minor XSS issues in the examples are below.
I would be grateful if someone with jakarta-servletapi-5 karama could
commit these.
Cheers,
Mark
Index: jsr152/examples/jsp2/el/functions.jsp
===================================================================
RCS file:
/home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/functions.jsp,v
retrieving revision 1.4
diff -u -r1.4 functions.jsp
--- jsr152/examples/jsp2/el/functions.jsp 18 Mar 2004 16:40:30 -0000
1.4
+++ jsr152/examples/jsp2/el/functions.jsp 20 Nov 2004 19:02:44 -0000
@@ -13,6 +13,7 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<%@ taglib prefix="my"
uri="http://jakarta.apache.org/tomcat/jsp2-example-taglib"%>
<html>
@@ -30,7 +31,7 @@
<blockquote>
<u><b>Change Parameter</b></u>
<form action="functions.jsp" method="GET">
- foo = <input type="text" name="foo" value="${param['foo']}">
+ foo = <input type="text" name="foo"
value="${fn:escapeXml(param["foo"])}">
<input type="submit">
</form>
<br>
@@ -42,19 +43,19 @@
</thead>
<tr>
<td>\${param["foo"]}</td>
- <td>${param["foo"]} </td>
+ <td>${fn:escapeXml(param["foo"])} </td>
</tr>
<tr>
<td>\${my:reverse(param["foo"])}</td>
- <td>${my:reverse(param["foo"])} </td>
+ <td>${my:reverse(fn:escapeXml(param["foo"]))} </td>
</tr>
<tr>
<td>\${my:reverse(my:reverse(param["foo"]))}</td>
- <td>${my:reverse(my:reverse(param["foo"]))} </td>
+ <td>${my:reverse(my:reverse(fn:escapeXml(param["foo"])))} </td>
</tr>
<tr>
<td>\${my:countVowels(param["foo"])}</td>
- <td>${my:countVowels(param["foo"])} </td>
+ <td>${my:countVowels(fn:escapeXml(param["foo"]))} </td>
</tr>
</table>
</code>
Index: jsr152/examples/jsp2/el/implicit-objects.jsp
===================================================================
RCS file:
/home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp,v
retrieving revision 1.3
diff -u -r1.3 implicit-objects.jsp
--- jsr152/examples/jsp2/el/implicit-objects.jsp 18 Mar 2004 16:40:30
-0000 1.3
+++ jsr152/examples/jsp2/el/implicit-objects.jsp 20 Nov 2004 19:04:06
-0000
@@ -13,6 +13,8 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+
<html>
<head>
<title>JSP 2.0 Expression Language - Implicit Objects</title>
@@ -49,7 +51,7 @@
<blockquote>
<u><b>Change Parameter</b></u>
<form action="implicit-objects.jsp" method="GET">
- foo = <input type="text" name="foo" value="${param["foo"]}">
+ foo = <input type="text" name="foo"
value="${fn:escapeXml(param["foo"])}">
<input type="submit">
</form>
<br>
@@ -61,11 +63,11 @@
</thead>
<tr>
<td>\${param.foo}</td>
- <td>${param.foo} </td>
+ <td>${fn:escapeXml(param["foo"])} </td>
</tr>
<tr>
<td>\${param["foo"]}</td>
- <td>${param["foo"]} </td>
+ <td>${fn:escapeXml(param["foo"])} </td>
</tr>
<tr>
<td>\${header["host"]}</td>
Index: jsr152/examples/jsp2/jspx/textRotate.jspx
===================================================================
RCS file:
/home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/jspx/textRotate.jspx,v
retrieving revision 1.3
diff -u -r1.3 textRotate.jspx
--- jsr152/examples/jsp2/jspx/textRotate.jspx 21 Nov 2003 22:06:02 -0000
1.3
+++ jsr152/examples/jsp2/jspx/textRotate.jspx 20 Nov 2004 19:54:10 -0000
@@ -6,11 +6,12 @@
<svg xmlns="http://www.w3.org/2000/svg"
width="450" height="500" viewBox="0 0 450 500"
xmlns:c="http://java.sun.com/jsp/jstl/core"
+ xmlns:fn="http://java.sun.com/jsp/jstl/functions"
xmlns:jsp="http://java.sun.com/JSP/Page">
<jsp:directive.page contentType="image/svg+xml" />
<title>JSP 2.0 JSPX</title>
<!-- select name parameter, or default to JSPX -->
- <c:set var="name" value='${empty param["name"] ? "JSPX" :
param["name"]}'/>
+ <c:set var="name" value='${empty fn:escapeXml(param["name"]) ? "JSPX" :
fn:escapeXml(param["name"])}'/>
<g id="testContent">
<text class="title" x="50%" y="10%" font-size="15"
text-anchor="middle" >
JSP 2.0 XML Syntax (.jspx) Demo</text>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: Fwd: XSS in Jakarta Tomcat 5.5.6
Posted by Mark Thomas <ma...@apache.org>.
Remy Maucherat wrote:
> Erik Abele wrote:
>
>> not acked, just fwd'ing...
>
>
> The issues mentioned in this email are very minor so -> tomcat-dev.
>
>> Begin forwarded message:
>>
>>> From: "Oliver Karow" <Ol...@gmx.de>
>>> Date: 3. Januar 2005 12:29:12 MEZ
>>> To: security@apache.org
>>> Subject: XSS in Jakarta Tomcat 5.5.6
>>>
>>> Hello and a happy new year,
>>>
>>> during coding a little webapp-security-scanner, i found
>>> cross-site-scripting
>>> vulnerabilities in
>>> Apache Tomcat/5.5.6 (JVM Version: 1.5.0_01-b08 (Sun
>>> microsystems),running on
>>> Windows 2000)
>>>
>>> First one needs
>>> authentication:
>>>
>>> http://192.168.0.23:8080/manager/html/<script>alert("Hallo")</script>
>>> http://192.168.0.23:8080/manager/html/stop?
>>> path=<script>alert("Hallo")</script>
>>> http://192.168.0.23:8080/manager/html/start?
>>> path=<script>alert("Hallo")</script>
>
>
> This is a non issue, so I'd say we won't fix that. It's always possible
> that someone would fix it though, if they care ;)
I'll look at this for the same reason I looked at the XSS issues in the
examples - not that it is a real security issue but to stop us having to
periodically explain to people that don't understand security why this
is a total non-issue.
>
>>> Second one works without authentication, but should not be that easy to
>>> exploit:
>>>
>>> Telnet to port 8080 and paste the following:
>>>
>>> <script>alert("Hallo")</script> /jsp-examples/snp/snoop.jsp HTTP/1.0
>
>
> We have decided to fix XSS in the examples web applications (which
> should obviously be removed from production servers), so I assume we
> will fix this.
I posted the patches to fix examples to the committers list a little
while ago (I can't patch it myself as fixing the examples requires
jakarta-servletapi-5 karma). I'll dig out the patch and post it here.
>
>>> Because i'm not very familiar with Tomcat, i want to ask you, to
>>> verify the
>>> existence of this
>>> bug. I looked at securityfocus.com to verify the existence of this
>>> bug, but
>>> could not find anything regarding
>>> this version of Tomcat.
>>>
>>> If you have any questions, feel free to contact me!
>>>
>>> Best regards,
>
>
> Rémy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org