You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2010/11/22 20:03:21 UTC
[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
- Not affected in default configuration.
- Affected if CSRF protection is disabled
- Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
- Affected in default configuration
- Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
- Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted.
Example:
GET /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Ensure the CSRF protection is enabled
- Apply the patch 7.0.4 patch (see below)
- Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Apply the patch for 6.0.29 (see below)
- Update to 6.0.30 when released
No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.
Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
Note: The patches
The Apache Tomcat Security Team
****************
Patch for 6.0.29
****************
Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
@@ -30,8 +30,10 @@
<% String path = (String) request.getAttribute("path");
Session currentSession = (Session)request.getAttribute("currentSession");
HttpSession currentHttpSession = currentSession.getSession();
- - String currentSessionId = currentSession.getId();
- - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+ String submitUrl = JspHelper.escapeXml(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path);
%>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -45,7 +47,7 @@
<title>Sessions Administration: details for <%= currentSessionId %></title>
</head>
<body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
<table style="text-align: left;" border="0">
<tr>
@@ -54,7 +56,7 @@
</tr>
<tr>
<th>Guessed Locale</th>
- - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+ <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
</tr>
<tr>
<th>Guessed User</th>
@@ -120,7 +122,7 @@
String attributeName = (String) attributeNamesEnumeration.nextElement();
%>
<tr>
- - <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td>
+ <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" /><input type="submit" value="Remove" /></div></form></td>
<td><%= JspHelper.escapeXml(attributeName) %></td>
<td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td>
</tr>
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
@@ -26,7 +26,9 @@
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<% String path = (String) request.getAttribute("path");
- - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path;
+ String submitUrl = JspHelper.escapeXml(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path);
Collection activeSessions = (Collection) request.getAttribute("activeSessions");
%>
<head>
@@ -38,10 +40,10 @@
<meta name="author" content="Cedrik LIME"/>
<meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
<meta name="robots" content="noindex,nofollow,noarchive"/>
- - <title>Sessions Administration for <%= path %></title>
+ <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
</head>
<body>
- -<h1>Sessions Administration for <%= path %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
<p>Tips:</p>
<ul>
@@ -55,13 +57,13 @@
<form action="<%= submitUrl %>" method="post" id="sessionsForm">
<fieldset><legend>Active HttpSessions informations</legend>
<input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
- - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+ <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
<% String order = (String) request.getAttribute("order");
if (order == null || "".equals(order)) {
order = "ASC";
}
%>
- - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+ <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
<input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
<%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
<table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -95,13 +97,13 @@
<% Iterator iter = activeSessions.iterator();
while (iter.hasNext()) {
Session currentSession = (Session) iter.next();
- - String currentSessionId = currentSession.getId();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
%>
<tr>
<td>
- -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId) %></a>
+<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= currentSessionId %></a>
</td>
- - <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+ <td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
<td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
<td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
<td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
***************
Patch for 7.0.4
***************
Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037768)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
@@ -30,9 +30,10 @@
<% String path = (String) request.getAttribute("path");
Session currentSession = (Session)request.getAttribute("currentSession");
HttpSession currentHttpSession = currentSession.getSession();
- - String currentSessionId = currentSession.getId();
- - String submitUrl = response.encodeURL(((HttpServletRequest)
- - pageContext.getRequest()).getRequestURL().toString());
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+ String submitUrl = JspHelper.escapeXml(response.encodeURL(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path));
%>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -46,7 +47,7 @@
<title>Sessions Administration: details for <%= currentSessionId %></title>
</head>
<body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
<table style="text-align: left;" border="0">
<tr>
@@ -55,7 +56,7 @@
</tr>
<tr>
<th>Guessed Locale</th>
- - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+ <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
</tr>
<tr>
<th>Guessed User</th>
@@ -89,7 +90,6 @@
<form method="post" action="<%= submitUrl %>">
<div>
- - <input type="hidden" name="path" value="<%= path %>" />
<input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
<input type="hidden" name="action" value="sessionDetail" />
<input type="submit" value="Refresh" />
@@ -131,10 +131,9 @@
<td align="center">
<form method="post" action="<%= submitUrl %>">
<div>
- - <input type="hidden" name="path" value="<%= path %>" />
<input type="hidden" name="action" value="removeSessionAttribute" />
<input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
- - <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+ <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
<%
if ("Primary".equals(request.getAttribute("sessionType"))) {
%>
@@ -156,7 +155,6 @@
<form method="post" action="<%=submitUrl%>">
<p style="text-align: center;">
- - <input type="hidden" name="path" value="<%= path %>" />
<input type="submit" value="Return to session list" />
</p>
</form>
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037768)
+++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
@@ -28,8 +28,9 @@
<%@page import="org.apache.catalina.manager.DummyProxySession"%><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<% String path = (String) request.getAttribute("path");
- - String submitUrl = response.encodeURL(((HttpServletRequest)
- - pageContext.getRequest()).getRequestURI() + "?path=" + path);
+ String submitUrl = JspHelper.escapeXml(response.encodeURL(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path));
Collection activeSessions = (Collection) request.getAttribute("activeSessions");
%>
<head>
@@ -41,10 +42,10 @@
<meta name="author" content="Cedrik LIME"/>
<meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
<meta name="robots" content="noindex,nofollow,noarchive"/>
- - <title>Sessions Administration for <%= path %></title>
+ <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
</head>
<body>
- -<h1>Sessions Administration for <%= path %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
<p>Tips:</p>
<ul>
@@ -58,13 +59,13 @@
<form action="<%= submitUrl %>" method="post" id="sessionsForm">
<fieldset><legend>Active HttpSessions informations</legend>
<input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
- - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+ <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
<% String order = (String) request.getAttribute("order");
if (order == null || "".equals(order)) {
order = "ASC";
}
%>
- - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+ <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
<input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
<%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
<table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -100,7 +101,7 @@
<% Iterator iter = activeSessions.iterator();
while (iter.hasNext()) {
Session currentSession = (Session) iter.next();
- - String currentSessionId = currentSession.getId();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
String type;
if (currentSession instanceof DeltaSession) {
if (((DeltaSession) currentSession).isPrimarySession()) {
@@ -121,13 +122,13 @@
out.print(currentSessionId);
} else {
%>
- - <a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>&sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+ <a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>&sessionType=<%= type %>"><%= currentSessionId %></a>
<%
}
%>
</td>
<td style="text-align: center;"><%= type %></td>
- - <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+ <td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
<td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
<td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
<td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJM6r54AAoJEBDAHFovYFnn8HEP+gLTkB76D6xNffzu6bWkFXLF
CJDKSeNJcbLeX8AGInTWPA73pndVe4c2uoW8qH31XSzrYyikR5BdQO7Fo3bZ4c1H
4nPdKtBciWxY43nkNQ8ZGXGP1ADDKS43uJioqPm/Hr9hzOYaNSkuw7063CQEB87B
a0wUcG6pIdHMJEgu+CXicMWxQKpLM8IAvnLFmuiv/rkihXsZK1131r5UMX3oApD/
2r82MHqRAetJ1S5h19gYuUKM4wwCrdW1GGUmC3tjA5+ocrUOYKA2WccHLMitDqh3
heoFQ7gLVEgqaFNSVQxYMBT1qqQN+wOxfhsghK2H49ukVdrgA7Vs71vlPz7QGmAq
7mlGQCfa219mSLTxt+G+u9fI3PpghodPwMEY8BeU3GuPDKze72U8oVIedO59rRJZ
i2a1l2ob/sg/L5olyTGqMyu1cwkmx91ZAnovnUqHBpEYxVO4Nzc5N8cicN/+lEnS
MrvsS6UzcZibLZMxmE+ILcVaoygN2wb/ERK05vXG9ou+BzyoufY+LD/aKwDvWcif
oZv00Rl9TlQAbLYwGyUV/jvNXKAwn3WMqq6j1JH/yub+gjy5foit/cryD8N0x5p7
FDXQVcELhnGI9xno6+yXuMWY/z2cmuIZEuGI8Rdg0XtICy7U1Gp3/YZoUFVnU3Qt
QLXR/d5cHVjSXgtvTGGl
=1Wya
-----END PGP SIGNATURE-----
Re: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS
vulnerability
Posted by Mark Thomas <ma...@apache.org>.
On 22/11/2010 19:52, Konstantin Kolinko wrote:
> 2010/11/22 Mark Thomas <ma...@apache.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
>>
>
> (...)
>
> FYI:
> The patches included in the announcement are hardly readable, because
> the mailing software replaced '-' with '- -' and the start of lines,
> and wrapped long lines as well.
That is as a result of the e-mail being digitally signed. E-mail clients
capable of processing the signature will remove the double '- -' and
unwrap any wrapped lines.
The mirrors have now picked up the patches so I'll post a quick follow
up to the users and dev list with links to the patches.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Posted by Konstantin Kolinko <kn...@gmail.com>.
2010/11/22 Mark Thomas <ma...@apache.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
>
(...)
FYI:
The patches included in the announcement are hardly readable, because
the mailing software replaced '-' with '- -' and the start of lines,
and wrapped long lines as well.
[1] http://mail-archives.apache.org/mod_mbox/tomcat-announce/201011.mbox/%3C4CEAC06F.6030900@apache.org%3E
[2] http://markmail.org/message/kem4h34suvkqyv4h
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Posted by Jacques Le Roux <ja...@les7arts.com>.
Ho Right!
Jacques
Scott Gray wrote:
> We don't use tomcat's manager application.
>
> Regards
> Scott
>
> HotWax Media
> http://www.hotwaxmedia.com
>
> On 1/12/2010, at 9:54 PM, Jacques Le Roux wrote:
>
>> Hi,
>>
>> Sould we not update?
>>
>> Thanks
>>
>> Jacques
>>
>> From: "Mark Thomas" <ma...@apache.org>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
>>>
>>> Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
>>>
>>> Vendor: The Apache Software Foundation
>>>
>>> Versions Affected:
>>> - - Tomcat 7.0.0 to 7.0.4
>>> - Not affected in default configuration.
>>> - Affected if CSRF protection is disabled
>>> - Additional XSS issues if web applications are untrusted
>>> - - Tomcat 6.0.12 to 6.0.29
>>> - Affected in default configuration
>>> - Additional XSS issues if web applications are untrusted
>>> - - Tomcat 5.5.x
>>> - Not affected
>>>
>>> Description:
>>> The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without
>>> applying filtering and therefore is vulnerable to a cross-site scripting attack.
>>> Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose
>>> session cookies from the manager application to an attacker.
>>> A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web
>>> applications deployed were not trusted.
>>>
>>> Example:
>>> GET
>>> /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list
>>>
>>> Mitigation:
>>> Users of affected versions should apply one of the following mitigations
>>> - - Tomcat 7.0.0 to 7.0.4
>>> - Remove the Manager application
>>> - Remove the sessionList.jsp and sessionDetail.jsp files
>>> - Ensure the CSRF protection is enabled
>>> - Apply the patch 7.0.4 patch (see below)
>>> - Update to 7.0.5 when released
>>> - - Tomcat 6.0.12 to 6.0.29
>>> - Remove the Manager application
>>> - Remove the sessionList.jsp and sessionDetail.jsp files
>>> - Apply the patch for 6.0.29 (see below)
>>> - Update to 6.0.30 when released
>>>
>>> No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
>>> releases.
>>>
>>> Credit:
>>> The original issue was discovered by Adam Muntner of Gotham Digital Science.
>>> Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.
>>>
>>> References:
>>> http://tomcat.apache.org/security.html
>>> http://tomcat.apache.org/security-7.html
>>> http://tomcat.apache.org/security-6.html
>>>
>>> Note: The patches
>>> The Apache Tomcat Security Team
>>>
>>>
>>> ****************
>>> Patch for 6.0.29
>>> ****************
>>>
>>> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
>>> ===================================================================
>>> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
>>> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
>>> @@ -30,8 +30,10 @@
>>> <% String path = (String) request.getAttribute("path");
>>> Session currentSession = (Session)request.getAttribute("currentSession");
>>> HttpSession currentHttpSession = currentSession.getSession();
>>> - - String currentSessionId = currentSession.getId();
>>> - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
>>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>>> + String submitUrl = JspHelper.escapeXml(
>>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>>> + "?path=" + path);
>>> %>
>>> <head>
>>> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
>>> @@ -45,7 +47,7 @@
>>> <title>Sessions Administration: details for <%= currentSessionId %></title>
>>> </head>
>>> <body>
>>> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
>>> +<h1>Details for Session <%= currentSessionId %></h1>
>>> <table style="text-align: left;" border="0">
>>> <tr>
>>> @@ -54,7 +56,7 @@
>>> </tr>
>>> <tr>
>>> <th>Guessed Locale</th>
>>> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
>>> + <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
>>> </tr>
>>> <tr>
>>> <th>Guessed User</th>
>>> @@ -120,7 +122,7 @@
>>> String attributeName = (String) attributeNamesEnumeration.nextElement();
>>> %>
>>> <tr>
>>> - - <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input
>>> type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId
>>> %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove"
>>> /></div></form></td> + <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action"
>>> value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden"
>>> name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" /><input type="submit" value="Remove"
>>> /></div></form></td> <td><%= JspHelper.escapeXml(attributeName) %></td> <td><% Object attributeValue =
>>> currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" :
>>> attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td> </tr>
>>> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
>>> ===================================================================
>>> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037769)
>>> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
>>> @@ -26,7 +26,9 @@
>>> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
>>> <% String path = (String) request.getAttribute("path");
>>> - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path;
>>> + String submitUrl = JspHelper.escapeXml(
>>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>>> + "?path=" + path);
>>> Collection activeSessions = (Collection) request.getAttribute("activeSessions");
>>> %>
>>> <head>
>>> @@ -38,10 +40,10 @@
>>> <meta name="author" content="Cedrik LIME"/>
>>> <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
>>> <meta name="robots" content="noindex,nofollow,noarchive"/>
>>> - - <title>Sessions Administration for <%= path %></title>
>>> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
>>> </head>
>>> <body>
>>> - -<h1>Sessions Administration for <%= path %></h1>
>>> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
>>> <p>Tips:</p>
>>> <ul>
>>> @@ -55,13 +57,13 @@
>>> <form action="<%= submitUrl %>" method="post" id="sessionsForm">
>>> <fieldset><legend>Active HttpSessions informations</legend>
>>> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
>>> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
>>> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
>>> <% String order = (String) request.getAttribute("order");
>>> if (order == null || "".equals(order)) {
>>> order = "ASC";
>>> }
>>> %>
>>> - - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
>>> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
>>> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list"
>>> onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/> <%=
>>> JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/> <table border="1" cellpadding="2" cellspacing="2"
>>> width="100%"> @@ -95,13 +97,13 @@
>>> <% Iterator iter = activeSessions.iterator();
>>> while (iter.hasNext()) {
>>> Session currentSession = (Session) iter.next();
>>> - - String currentSessionId = currentSession.getId();
>>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>>> %>
>>> <tr>
>>> <td>
>>> - -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl
>>> %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId)
>>> %></a> +<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl
>>> %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= currentSessionId %></a> </td> - - <td
>>> style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td> + <td style="text-align:
>>> center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td> <td style="text-align:
>>> center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td> <td style="text-align: center;"><%=
>>> JspHelper.getDisplayCreationTimeForSession(currentSession) %></td> <td style="text-align: center;"><%=
>>> JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
>>>
>>>
>>>
>>> ***************
>>> Patch for 7.0.4
>>> ***************
>>>
>>> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
>>> ===================================================================
>>> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037768)
>>> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
>>> @@ -30,9 +30,10 @@
>>> <% String path = (String) request.getAttribute("path");
>>> Session currentSession = (Session)request.getAttribute("currentSession");
>>> HttpSession currentHttpSession = currentSession.getSession();
>>> - - String currentSessionId = currentSession.getId();
>>> - - String submitUrl = response.encodeURL(((HttpServletRequest)
>>> - - pageContext.getRequest()).getRequestURL().toString());
>>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>>> + String submitUrl = JspHelper.escapeXml(response.encodeURL(
>>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>>> + "?path=" + path));
>>> %>
>>> <head>
>>> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
>>> @@ -46,7 +47,7 @@
>>> <title>Sessions Administration: details for <%= currentSessionId %></title>
>>> </head>
>>> <body>
>>> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
>>> +<h1>Details for Session <%= currentSessionId %></h1>
>>> <table style="text-align: left;" border="0">
>>> <tr>
>>> @@ -55,7 +56,7 @@
>>> </tr>
>>> <tr>
>>> <th>Guessed Locale</th>
>>> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
>>> + <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
>>> </tr>
>>> <tr>
>>> <th>Guessed User</th>
>>> @@ -89,7 +90,6 @@
>>> <form method="post" action="<%= submitUrl %>">
>>> <div>
>>> - - <input type="hidden" name="path" value="<%= path %>" />
>>> <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
>>> <input type="hidden" name="action" value="sessionDetail" />
>>> <input type="submit" value="Refresh" />
>>> @@ -131,10 +131,9 @@
>>> <td align="center">
>>> <form method="post" action="<%= submitUrl %>">
>>> <div>
>>> - - <input type="hidden" name="path" value="<%= path %>" />
>>> <input type="hidden" name="action" value="removeSessionAttribute" />
>>> <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
>>> - - <input type="hidden" name="attributeName" value="<%= attributeName %>" />
>>> + <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
>>> <%
>>> if ("Primary".equals(request.getAttribute("sessionType"))) {
>>> %>
>>> @@ -156,7 +155,6 @@
>>> <form method="post" action="<%=submitUrl%>">
>>> <p style="text-align: center;">
>>> - - <input type="hidden" name="path" value="<%= path %>" />
>>> <input type="submit" value="Return to session list" />
>>> </p>
>>> </form>
>>> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
>>> ===================================================================
>>> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037768)
>>> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
>>> @@ -28,8 +28,9 @@
>>> <%@page import="org.apache.catalina.manager.DummyProxySession"%><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
>>> <% String path = (String) request.getAttribute("path");
>>> - - String submitUrl = response.encodeURL(((HttpServletRequest)
>>> - - pageContext.getRequest()).getRequestURI() + "?path=" + path);
>>> + String submitUrl = JspHelper.escapeXml(response.encodeURL(
>>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>>> + "?path=" + path));
>>> Collection activeSessions = (Collection) request.getAttribute("activeSessions");
>>> %>
>>> <head>
>>> @@ -41,10 +42,10 @@
>>> <meta name="author" content="Cedrik LIME"/>
>>> <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
>>> <meta name="robots" content="noindex,nofollow,noarchive"/>
>>> - - <title>Sessions Administration for <%= path %></title>
>>> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
>>> </head>
>>> <body>
>>> - -<h1>Sessions Administration for <%= path %></h1>
>>> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
>>> <p>Tips:</p>
>>> <ul>
>>> @@ -58,13 +59,13 @@
>>> <form action="<%= submitUrl %>" method="post" id="sessionsForm">
>>> <fieldset><legend>Active HttpSessions informations</legend>
>>> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
>>> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
>>> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort"))
>>> %>"/> <% String order = (String) request.getAttribute("order");
>>> if (order == null || "".equals(order)) {
>>> order = "ASC";
>>> }
>>> %>
>>> - - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
>>> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
>>> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list"
>>> onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/> <%=
>>> JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/> <table border="1" cellpadding="2" cellspacing="2"
>>> width="100%"> @@ -100,7 +101,7 @@
>>> <% Iterator iter = activeSessions.iterator();
>>> while (iter.hasNext()) {
>>> Session currentSession = (Session) iter.next();
>>> - - String currentSessionId = currentSession.getId();
>>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>>> String type;
>>> if (currentSession instanceof DeltaSession) {
>>> if (((DeltaSession) currentSession).isPrimarySession()) {
>>> @@ -121,13 +122,13 @@
>>> out.print(currentSessionId);
>>> } else {
>>> %>
>>> - - <a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId
>>> %>&sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a> + <a href="<%= submitUrl
>>> %>&action=sessionDetail&sessionId=<%= currentSessionId %>&sessionType=<%= type %>"><%=
>>> currentSessionId %></a> <% }
>>> %>
>>> </td>
>>> <td style="text-align: center;"><%= type %></td>
>>> - - <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
>>> + <td style="text-align: center;"><%=
>>> JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td> <td style="text-align:
>>> center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td> <td style="text-align:
>>> center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td> <td style="text-align:
>>> center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.9 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iQIcBAEBAgAGBQJM6r54AAoJEBDAHFovYFnn8HEP+gLTkB76D6xNffzu6bWkFXLF
>>> CJDKSeNJcbLeX8AGInTWPA73pndVe4c2uoW8qH31XSzrYyikR5BdQO7Fo3bZ4c1H
>>> 4nPdKtBciWxY43nkNQ8ZGXGP1ADDKS43uJioqPm/Hr9hzOYaNSkuw7063CQEB87B
>>> a0wUcG6pIdHMJEgu+CXicMWxQKpLM8IAvnLFmuiv/rkihXsZK1131r5UMX3oApD/
>>> 2r82MHqRAetJ1S5h19gYuUKM4wwCrdW1GGUmC3tjA5+ocrUOYKA2WccHLMitDqh3
>>> heoFQ7gLVEgqaFNSVQxYMBT1qqQN+wOxfhsghK2H49ukVdrgA7Vs71vlPz7QGmAq
>>> 7mlGQCfa219mSLTxt+G+u9fI3PpghodPwMEY8BeU3GuPDKze72U8oVIedO59rRJZ
>>> i2a1l2ob/sg/L5olyTGqMyu1cwkmx91ZAnovnUqHBpEYxVO4Nzc5N8cicN/+lEnS
>>> MrvsS6UzcZibLZMxmE+ILcVaoygN2wb/ERK05vXG9ou+BzyoufY+LD/aKwDvWcif
>>> oZv00Rl9TlQAbLYwGyUV/jvNXKAwn3WMqq6j1JH/yub+gjy5foit/cryD8N0x5p7
>>> FDXQVcELhnGI9xno6+yXuMWY/z2cmuIZEuGI8Rdg0XtICy7U1Gp3/YZoUFVnU3Qt
>>> QLXR/d5cHVjSXgtvTGGl
>>> =1Wya
>>> -----END PGP SIGNATURE-----
Re: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Posted by Scott Gray <sc...@hotwaxmedia.com>.
We don't use tomcat's manager application.
Regards
Scott
HotWax Media
http://www.hotwaxmedia.com
On 1/12/2010, at 9:54 PM, Jacques Le Roux wrote:
> Hi,
>
> Sould we not update?
>
> Thanks
>
> Jacques
>
> From: "Mark Thomas" <ma...@apache.org>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
>>
>> Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> - - Tomcat 7.0.0 to 7.0.4
>> - Not affected in default configuration.
>> - Affected if CSRF protection is disabled
>> - Additional XSS issues if web applications are untrusted
>> - - Tomcat 6.0.12 to 6.0.29
>> - Affected in default configuration
>> - Additional XSS issues if web applications are untrusted
>> - - Tomcat 5.5.x
>> - Not affected
>>
>> Description:
>> The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack.
>> Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.
>> A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted.
>>
>> Example:
>> GET /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list
>>
>> Mitigation:
>> Users of affected versions should apply one of the following mitigations
>> - - Tomcat 7.0.0 to 7.0.4
>> - Remove the Manager application
>> - Remove the sessionList.jsp and sessionDetail.jsp files
>> - Ensure the CSRF protection is enabled
>> - Apply the patch 7.0.4 patch (see below)
>> - Update to 7.0.5 when released
>> - - Tomcat 6.0.12 to 6.0.29
>> - Remove the Manager application
>> - Remove the sessionList.jsp and sessionDetail.jsp files
>> - Apply the patch for 6.0.29 (see below)
>> - Update to 6.0.30 when released
>>
>> No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
>> releases.
>>
>> Credit:
>> The original issue was discovered by Adam Muntner of Gotham Digital Science.
>> Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.
>>
>> References:
>> http://tomcat.apache.org/security.html
>> http://tomcat.apache.org/security-7.html
>> http://tomcat.apache.org/security-6.html
>>
>> Note: The patches
>> The Apache Tomcat Security Team
>>
>>
>> ****************
>> Patch for 6.0.29
>> ****************
>>
>> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
>> ===================================================================
>> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
>> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
>> @@ -30,8 +30,10 @@
>> <% String path = (String) request.getAttribute("path");
>> Session currentSession = (Session)request.getAttribute("currentSession");
>> HttpSession currentHttpSession = currentSession.getSession();
>> - - String currentSessionId = currentSession.getId();
>> - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>> + String submitUrl = JspHelper.escapeXml(
>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>> + "?path=" + path);
>> %>
>> <head>
>> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
>> @@ -45,7 +47,7 @@
>> <title>Sessions Administration: details for <%= currentSessionId %></title>
>> </head>
>> <body>
>> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
>> +<h1>Details for Session <%= currentSessionId %></h1>
>> <table style="text-align: left;" border="0">
>> <tr>
>> @@ -54,7 +56,7 @@
>> </tr>
>> <tr>
>> <th>Guessed Locale</th>
>> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
>> + <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
>> </tr>
>> <tr>
>> <th>Guessed User</th>
>> @@ -120,7 +122,7 @@
>> String attributeName = (String) attributeNamesEnumeration.nextElement();
>> %>
>> <tr>
>> - - <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td>
>> + <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" /><input type="submit" value="Remove" /></div></form></td>
>> <td><%= JspHelper.escapeXml(attributeName) %></td>
>> <td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td>
>> </tr>
>> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
>> ===================================================================
>> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037769)
>> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
>> @@ -26,7 +26,9 @@
>> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
>> <% String path = (String) request.getAttribute("path");
>> - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path;
>> + String submitUrl = JspHelper.escapeXml(
>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>> + "?path=" + path);
>> Collection activeSessions = (Collection) request.getAttribute("activeSessions");
>> %>
>> <head>
>> @@ -38,10 +40,10 @@
>> <meta name="author" content="Cedrik LIME"/>
>> <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
>> <meta name="robots" content="noindex,nofollow,noarchive"/>
>> - - <title>Sessions Administration for <%= path %></title>
>> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
>> </head>
>> <body>
>> - -<h1>Sessions Administration for <%= path %></h1>
>> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
>> <p>Tips:</p>
>> <ul>
>> @@ -55,13 +57,13 @@
>> <form action="<%= submitUrl %>" method="post" id="sessionsForm">
>> <fieldset><legend>Active HttpSessions informations</legend>
>> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
>> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
>> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
>> <% String order = (String) request.getAttribute("order");
>> if (order == null || "".equals(order)) {
>> order = "ASC";
>> }
>> %>
>> - - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
>> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
>> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
>> <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
>> <table border="1" cellpadding="2" cellspacing="2" width="100%">
>> @@ -95,13 +97,13 @@
>> <% Iterator iter = activeSessions.iterator();
>> while (iter.hasNext()) {
>> Session currentSession = (Session) iter.next();
>> - - String currentSessionId = currentSession.getId();
>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>> %>
>> <tr>
>> <td>
>> - -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId) %></a>
>> +<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= currentSessionId %></a>
>> </td>
>> - - <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
>> + <td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
>> <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
>> <td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
>> <td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
>>
>>
>>
>> ***************
>> Patch for 7.0.4
>> ***************
>>
>> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
>> ===================================================================
>> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037768)
>> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
>> @@ -30,9 +30,10 @@
>> <% String path = (String) request.getAttribute("path");
>> Session currentSession = (Session)request.getAttribute("currentSession");
>> HttpSession currentHttpSession = currentSession.getSession();
>> - - String currentSessionId = currentSession.getId();
>> - - String submitUrl = response.encodeURL(((HttpServletRequest)
>> - - pageContext.getRequest()).getRequestURL().toString());
>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>> + String submitUrl = JspHelper.escapeXml(response.encodeURL(
>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>> + "?path=" + path));
>> %>
>> <head>
>> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
>> @@ -46,7 +47,7 @@
>> <title>Sessions Administration: details for <%= currentSessionId %></title>
>> </head>
>> <body>
>> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
>> +<h1>Details for Session <%= currentSessionId %></h1>
>> <table style="text-align: left;" border="0">
>> <tr>
>> @@ -55,7 +56,7 @@
>> </tr>
>> <tr>
>> <th>Guessed Locale</th>
>> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
>> + <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
>> </tr>
>> <tr>
>> <th>Guessed User</th>
>> @@ -89,7 +90,6 @@
>> <form method="post" action="<%= submitUrl %>">
>> <div>
>> - - <input type="hidden" name="path" value="<%= path %>" />
>> <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
>> <input type="hidden" name="action" value="sessionDetail" />
>> <input type="submit" value="Refresh" />
>> @@ -131,10 +131,9 @@
>> <td align="center">
>> <form method="post" action="<%= submitUrl %>">
>> <div>
>> - - <input type="hidden" name="path" value="<%= path %>" />
>> <input type="hidden" name="action" value="removeSessionAttribute" />
>> <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
>> - - <input type="hidden" name="attributeName" value="<%= attributeName %>" />
>> + <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
>> <%
>> if ("Primary".equals(request.getAttribute("sessionType"))) {
>> %>
>> @@ -156,7 +155,6 @@
>> <form method="post" action="<%=submitUrl%>">
>> <p style="text-align: center;">
>> - - <input type="hidden" name="path" value="<%= path %>" />
>> <input type="submit" value="Return to session list" />
>> </p>
>> </form>
>> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
>> ===================================================================
>> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037768)
>> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
>> @@ -28,8 +28,9 @@
>> <%@page import="org.apache.catalina.manager.DummyProxySession"%><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
>> <% String path = (String) request.getAttribute("path");
>> - - String submitUrl = response.encodeURL(((HttpServletRequest)
>> - - pageContext.getRequest()).getRequestURI() + "?path=" + path);
>> + String submitUrl = JspHelper.escapeXml(response.encodeURL(
>> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
>> + "?path=" + path));
>> Collection activeSessions = (Collection) request.getAttribute("activeSessions");
>> %>
>> <head>
>> @@ -41,10 +42,10 @@
>> <meta name="author" content="Cedrik LIME"/>
>> <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
>> <meta name="robots" content="noindex,nofollow,noarchive"/>
>> - - <title>Sessions Administration for <%= path %></title>
>> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
>> </head>
>> <body>
>> - -<h1>Sessions Administration for <%= path %></h1>
>> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
>> <p>Tips:</p>
>> <ul>
>> @@ -58,13 +59,13 @@
>> <form action="<%= submitUrl %>" method="post" id="sessionsForm">
>> <fieldset><legend>Active HttpSessions informations</legend>
>> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
>> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
>> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
>> <% String order = (String) request.getAttribute("order");
>> if (order == null || "".equals(order)) {
>> order = "ASC";
>> }
>> %>
>> - - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
>> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
>> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
>> <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
>> <table border="1" cellpadding="2" cellspacing="2" width="100%">
>> @@ -100,7 +101,7 @@
>> <% Iterator iter = activeSessions.iterator();
>> while (iter.hasNext()) {
>> Session currentSession = (Session) iter.next();
>> - - String currentSessionId = currentSession.getId();
>> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
>> String type;
>> if (currentSession instanceof DeltaSession) {
>> if (((DeltaSession) currentSession).isPrimarySession()) {
>> @@ -121,13 +122,13 @@
>> out.print(currentSessionId);
>> } else {
>> %>
>> - - <a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>&sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
>> + <a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>&sessionType=<%= type %>"><%= currentSessionId %></a>
>> <%
>> }
>> %>
>> </td>
>> <td style="text-align: center;"><%= type %></td>
>> - - <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
>> + <td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
>> <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
>> <td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
>> <td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQIcBAEBAgAGBQJM6r54AAoJEBDAHFovYFnn8HEP+gLTkB76D6xNffzu6bWkFXLF
>> CJDKSeNJcbLeX8AGInTWPA73pndVe4c2uoW8qH31XSzrYyikR5BdQO7Fo3bZ4c1H
>> 4nPdKtBciWxY43nkNQ8ZGXGP1ADDKS43uJioqPm/Hr9hzOYaNSkuw7063CQEB87B
>> a0wUcG6pIdHMJEgu+CXicMWxQKpLM8IAvnLFmuiv/rkihXsZK1131r5UMX3oApD/
>> 2r82MHqRAetJ1S5h19gYuUKM4wwCrdW1GGUmC3tjA5+ocrUOYKA2WccHLMitDqh3
>> heoFQ7gLVEgqaFNSVQxYMBT1qqQN+wOxfhsghK2H49ukVdrgA7Vs71vlPz7QGmAq
>> 7mlGQCfa219mSLTxt+G+u9fI3PpghodPwMEY8BeU3GuPDKze72U8oVIedO59rRJZ
>> i2a1l2ob/sg/L5olyTGqMyu1cwkmx91ZAnovnUqHBpEYxVO4Nzc5N8cicN/+lEnS
>> MrvsS6UzcZibLZMxmE+ILcVaoygN2wb/ERK05vXG9ou+BzyoufY+LD/aKwDvWcif
>> oZv00Rl9TlQAbLYwGyUV/jvNXKAwn3WMqq6j1JH/yub+gjy5foit/cryD8N0x5p7
>> FDXQVcELhnGI9xno6+yXuMWY/z2cmuIZEuGI8Rdg0XtICy7U1Gp3/YZoUFVnU3Qt
>> QLXR/d5cHVjSXgtvTGGl
>> =1Wya
>> -----END PGP SIGNATURE-----
>
>
Re: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS
vulnerability
Posted by Erwan de FERRIERES <er...@nereide.fr>.
Le 01/12/2010 09:54, Jacques Le Roux a écrit :
> Hi,
>
> Sould we not update?
>
Hi,
just wait for the 6.0.30 release, should not be long !
Cheers,
--
Erwan de FERRIERES
www.nereide.biz
Re: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi,
Sould we not update?
Thanks
Jacques
From: "Mark Thomas" <ma...@apache.org>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
>
> Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - - Tomcat 7.0.0 to 7.0.4
> - Not affected in default configuration.
> - Affected if CSRF protection is disabled
> - Additional XSS issues if web applications are untrusted
> - - Tomcat 6.0.12 to 6.0.29
> - Affected in default configuration
> - Additional XSS issues if web applications are untrusted
> - - Tomcat 5.5.x
> - Not affected
>
> Description:
> The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without
> applying filtering and therefore is vulnerable to a cross-site scripting attack.
> Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose
> session cookies from the manager application to an attacker.
> A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web
> applications deployed were not trusted.
>
> Example:
> GET
> /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list
>
> Mitigation:
> Users of affected versions should apply one of the following mitigations
> - - Tomcat 7.0.0 to 7.0.4
> - Remove the Manager application
> - Remove the sessionList.jsp and sessionDetail.jsp files
> - Ensure the CSRF protection is enabled
> - Apply the patch 7.0.4 patch (see below)
> - Update to 7.0.5 when released
> - - Tomcat 6.0.12 to 6.0.29
> - Remove the Manager application
> - Remove the sessionList.jsp and sessionDetail.jsp files
> - Apply the patch for 6.0.29 (see below)
> - Update to 6.0.30 when released
>
> No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
> releases.
>
> Credit:
> The original issue was discovered by Adam Muntner of Gotham Digital Science.
> Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.
>
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
>
> Note: The patches
> The Apache Tomcat Security Team
>
>
> ****************
> Patch for 6.0.29
> ****************
>
> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
> ===================================================================
> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
> @@ -30,8 +30,10 @@
> <% String path = (String) request.getAttribute("path");
> Session currentSession = (Session)request.getAttribute("currentSession");
> HttpSession currentHttpSession = currentSession.getSession();
> - - String currentSessionId = currentSession.getId();
> - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
> + String submitUrl = JspHelper.escapeXml(
> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
> + "?path=" + path);
> %>
> <head>
> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
> @@ -45,7 +47,7 @@
> <title>Sessions Administration: details for <%= currentSessionId %></title>
> </head>
> <body>
> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
> +<h1>Details for Session <%= currentSessionId %></h1>
> <table style="text-align: left;" border="0">
> <tr>
> @@ -54,7 +56,7 @@
> </tr>
> <tr>
> <th>Guessed Locale</th>
> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
> + <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
> </tr>
> <tr>
> <th>Guessed User</th>
> @@ -120,7 +122,7 @@
> String attributeName = (String) attributeNamesEnumeration.nextElement();
> %>
> <tr>
> - - <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input
> type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>"
> /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove"
> /></div></form></td>
> + <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action" value="removeSessionAttribute"
> /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%=
> JspHelper.escapeXml(attributeName) %>" /><input type="submit" value="Remove" /></div></form></td>
> <td><%= JspHelper.escapeXml(attributeName) %></td>
> <td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" :
> attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td>
> </tr>
> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
> ===================================================================
> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037769)
> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
> @@ -26,7 +26,9 @@
> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
> <% String path = (String) request.getAttribute("path");
> - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path;
> + String submitUrl = JspHelper.escapeXml(
> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
> + "?path=" + path);
> Collection activeSessions = (Collection) request.getAttribute("activeSessions");
> %>
> <head>
> @@ -38,10 +40,10 @@
> <meta name="author" content="Cedrik LIME"/>
> <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
> <meta name="robots" content="noindex,nofollow,noarchive"/>
> - - <title>Sessions Administration for <%= path %></title>
> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
> </head>
> <body>
> - -<h1>Sessions Administration for <%= path %></h1>
> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
> <p>Tips:</p>
> <ul>
> @@ -55,13 +57,13 @@
> <form action="<%= submitUrl %>" method="post" id="sessionsForm">
> <fieldset><legend>Active HttpSessions informations</legend>
> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
> <% String order = (String) request.getAttribute("order");
> if (order == null || "".equals(order)) {
> order = "ASC";
> }
> %>
> - - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list"
> onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
> <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
> <table border="1" cellpadding="2" cellspacing="2" width="100%">
> @@ -95,13 +97,13 @@
> <% Iterator iter = activeSessions.iterator();
> while (iter.hasNext()) {
> Session currentSession = (Session) iter.next();
> - - String currentSessionId = currentSession.getId();
> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
> %>
> <tr>
> <td>
> - -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl
> %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId)
> %></a>
> +<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl
> %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= currentSessionId %></a>
> </td>
> - - <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
> + <td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
> <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
> <td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
> <td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
>
>
>
> ***************
> Patch for 7.0.4
> ***************
>
> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
> ===================================================================
> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037768)
> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
> @@ -30,9 +30,10 @@
> <% String path = (String) request.getAttribute("path");
> Session currentSession = (Session)request.getAttribute("currentSession");
> HttpSession currentHttpSession = currentSession.getSession();
> - - String currentSessionId = currentSession.getId();
> - - String submitUrl = response.encodeURL(((HttpServletRequest)
> - - pageContext.getRequest()).getRequestURL().toString());
> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
> + String submitUrl = JspHelper.escapeXml(response.encodeURL(
> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
> + "?path=" + path));
> %>
> <head>
> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
> @@ -46,7 +47,7 @@
> <title>Sessions Administration: details for <%= currentSessionId %></title>
> </head>
> <body>
> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
> +<h1>Details for Session <%= currentSessionId %></h1>
> <table style="text-align: left;" border="0">
> <tr>
> @@ -55,7 +56,7 @@
> </tr>
> <tr>
> <th>Guessed Locale</th>
> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
> + <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
> </tr>
> <tr>
> <th>Guessed User</th>
> @@ -89,7 +90,6 @@
> <form method="post" action="<%= submitUrl %>">
> <div>
> - - <input type="hidden" name="path" value="<%= path %>" />
> <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
> <input type="hidden" name="action" value="sessionDetail" />
> <input type="submit" value="Refresh" />
> @@ -131,10 +131,9 @@
> <td align="center">
> <form method="post" action="<%= submitUrl %>">
> <div>
> - - <input type="hidden" name="path" value="<%= path %>" />
> <input type="hidden" name="action" value="removeSessionAttribute" />
> <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
> - - <input type="hidden" name="attributeName" value="<%= attributeName %>" />
> + <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
> <%
> if ("Primary".equals(request.getAttribute("sessionType"))) {
> %>
> @@ -156,7 +155,6 @@
> <form method="post" action="<%=submitUrl%>">
> <p style="text-align: center;">
> - - <input type="hidden" name="path" value="<%= path %>" />
> <input type="submit" value="Return to session list" />
> </p>
> </form>
> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
> ===================================================================
> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037768)
> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy)
> @@ -28,8 +28,9 @@
> <%@page import="org.apache.catalina.manager.DummyProxySession"%><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
> <% String path = (String) request.getAttribute("path");
> - - String submitUrl = response.encodeURL(((HttpServletRequest)
> - - pageContext.getRequest()).getRequestURI() + "?path=" + path);
> + String submitUrl = JspHelper.escapeXml(response.encodeURL(
> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
> + "?path=" + path));
> Collection activeSessions = (Collection) request.getAttribute("activeSessions");
> %>
> <head>
> @@ -41,10 +42,10 @@
> <meta name="author" content="Cedrik LIME"/>
> <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
> <meta name="robots" content="noindex,nofollow,noarchive"/>
> - - <title>Sessions Administration for <%= path %></title>
> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
> </head>
> <body>
> - -<h1>Sessions Administration for <%= path %></h1>
> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
> <p>Tips:</p>
> <ul>
> @@ -58,13 +59,13 @@
> <form action="<%= submitUrl %>" method="post" id="sessionsForm">
> <fieldset><legend>Active HttpSessions informations</legend>
> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
> <% String order = (String) request.getAttribute("order");
> if (order == null || "".equals(order)) {
> order = "ASC";
> }
> %>
> - - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list"
> onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
> <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
> <table border="1" cellpadding="2" cellspacing="2" width="100%">
> @@ -100,7 +101,7 @@
> <% Iterator iter = activeSessions.iterator();
> while (iter.hasNext()) {
> Session currentSession = (Session) iter.next();
> - - String currentSessionId = currentSession.getId();
> + String currentSessionId = JspHelper.escapeXml(currentSession.getId());
> String type;
> if (currentSession instanceof DeltaSession) {
> if (((DeltaSession) currentSession).isPrimarySession()) {
> @@ -121,13 +122,13 @@
> out.print(currentSessionId);
> } else {
> %>
> - - <a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId
> %>&sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
> + <a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId
> %>&sessionType=<%= type %>"><%= currentSessionId %></a>
> <%
> }
> %>
> </td>
> <td style="text-align: center;"><%= type %></td>
> - - <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
> + <td style="text-align: center;"><%=
> JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
> <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
> <td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
> <td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJM6r54AAoJEBDAHFovYFnn8HEP+gLTkB76D6xNffzu6bWkFXLF
> CJDKSeNJcbLeX8AGInTWPA73pndVe4c2uoW8qH31XSzrYyikR5BdQO7Fo3bZ4c1H
> 4nPdKtBciWxY43nkNQ8ZGXGP1ADDKS43uJioqPm/Hr9hzOYaNSkuw7063CQEB87B
> a0wUcG6pIdHMJEgu+CXicMWxQKpLM8IAvnLFmuiv/rkihXsZK1131r5UMX3oApD/
> 2r82MHqRAetJ1S5h19gYuUKM4wwCrdW1GGUmC3tjA5+ocrUOYKA2WccHLMitDqh3
> heoFQ7gLVEgqaFNSVQxYMBT1qqQN+wOxfhsghK2H49ukVdrgA7Vs71vlPz7QGmAq
> 7mlGQCfa219mSLTxt+G+u9fI3PpghodPwMEY8BeU3GuPDKze72U8oVIedO59rRJZ
> i2a1l2ob/sg/L5olyTGqMyu1cwkmx91ZAnovnUqHBpEYxVO4Nzc5N8cicN/+lEnS
> MrvsS6UzcZibLZMxmE+ILcVaoygN2wb/ERK05vXG9ou+BzyoufY+LD/aKwDvWcif
> oZv00Rl9TlQAbLYwGyUV/jvNXKAwn3WMqq6j1JH/yub+gjy5foit/cryD8N0x5p7
> FDXQVcELhnGI9xno6+yXuMWY/z2cmuIZEuGI8Rdg0XtICy7U1Gp3/YZoUFVnU3Qt
> QLXR/d5cHVjSXgtvTGGl
> =1Wya
> -----END PGP SIGNATURE-----
>