You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by St...@asknet.de on 2001/07/16 16:15:38 UTC
Cross-Site Scripting Vulnerability

Hi all

this has probably been discussed long ago,
but I couldn't find any hints.

Is this fixed in tomcat 3.2.2?

thanks a lot

gruss

stefan



Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
=========================================================================

Affected products:
=================
  Tomcat 3.2.1, 3.2.2-beta, 4.0-beta
     <http://jakarta.apache.org/tomcat/>
  JRun 3.0
     <http://www.allaire.com/products/jrun/index.cfm>
  WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional
     <http://www-4.ibm.com/software/webservers/>
  Resin
     <http://www.caucho.com/products/resin/>


Not affected:
============
  Unknown


Problem:
=======
  Accessing the following URLs, the JavaScript code will be executed
  in the browser on the server's domain.

  Tomcat 3.2.1:

http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  JRun 3.0:
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml
  WebSphere 3.5 FP2:

http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT>
  WebSphere 3.02:
    http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  VisualAge for Java 3.5 Professional:

http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT>

  Resin 1.2.2:
    http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp

http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp

  These pages produce output like this:
  =================================================
  Error 404
  An error has occurred while processing request:
  http://WebSphere/webapp/examples/******

  Message: File not found: //******
  StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not
found: //******
          at
javax.servlet.ServletException.<init>(ServletException.java:107)
          at
com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)

          at
com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)

          at
com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)

          ...
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>


Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>
  <http://www.apache.org/info/css-security/>


Vendor status:
=============

  Tomcat:
  ======
    Notified:
      16 Mar 2001 04:32:02 +0900,
I-found-a-security-problem-in-the-apache-source-code@apache.org
      17 Mar 2001 18:55:45 +0900, tomcat-dev@jakarta.apache.org
    Response:
      17 Mar 2001 20:07:42 -0000
    Fix:
      30 Mar 2001, Tomcat 4.0-beta-2 (maybe)
      11 May 2001, Tomcat 3.2.2-beta-5 (maybe)
    Announcement:
      <http://jakarta.apache.org/tomcat/news.html>

      Sun Microsystems does not publish Tomcat vulnerabilities.
      <http://java.sun.com/products/jsp/tomcat/>
      <http://java.sun.com/sfaq/chronology.html>

  JRun:
  ====
    Notified:
      13 Mar 2001 23:11:54 +0900, secure@allaire.com
    Response:
      13 Mar 2001 09:43:49 -0500
      14 Mar 2001 09:05:03 -0500
    Fix:
      28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available.
    Announcement:
      <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full>
      Macromedia Product Security Bulletin (MPSB01-06)
      JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability
      (a.k.a. JavaScript code execution vulnerability)

  WebSphere:
  =========
    Notified:
      20 Mar 2001 08:13:30 +0900, *******@us.ibm.com
    Response:
      22 Mar 2001 09:14:01 -0500
      23 Mar 2001 00:02:58 +0900
    Fix:
      PQ47386V302x (?)
      <http://www-4.ibm.com/software/webservers/appserv/efix.html>
    Announcement:
      <
http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb
>
      (in Japanese)

  Resin:
  =====
    Notified:
      16 Mar 2001 02:26:47 +0900, bugs@caucho.com, resin@caucho.com
    Response:
      None
    Fix:
      Unknown
    Announcement:
      Unknown
      http://www.caucho.com/products/resin/changes.xtp

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/