wp-02-0008.txt

wp-02-0008.txt: Posted Jul 11, 2002; Authored by Matt Moore | Site westpoint.ltd.uk; Westpoint Security Advisory wp-02-0008 - Apache Tomcat v4.0.3 is vulnerable to cross site scripting attacks by using the /servlet/ mapping. Linux and Win32 versions of Tomcat are vulnerable.; tags | xss; systems | linux, windows; SHA-256 | 7c8753a353b10b9fcac8e6d4fcd9c7fd8be17eae6139f7796cc2b8b8fa6dea83; Download | Favorite | View

wp-02-0008.txt

Westpoint Security Advisory

Title:     Apache Tomcat Cross Site Scripting    
Risk Rating:  Low
Software:   Apache Tomcat v4.0.3
Platforms:  WinNT, Win2k, Linux
Vendor URL:   jakarta.apache.org
Author:    Matt Moore <matt@westpoint.ltd.uk>
Date:    10th July 2002
Advisory ID#:  wp-02-0008

Overview:
=========
Apache Tomcat is the servlet container that is used in the official Reference 
Implementation for the Java Servlet and JavaServer Pages technologies. 

Tomcat has a couple of Cross Site Scripting vulnerabilities.

Details:
========

Cross Site Scripting
--------------------

By using the /servlet/ mapping to invoke various servlets / classes it is
possible to cause Tomcat to throw an exception, allowing XSS attacks:

tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/SCRIPTalert(document.domain)/SCRIPT
tomcat-server/servlet/org.apache.catalina.ContainerServlet/SCRIPTalert(document.domain)/SCRIPT
tomcat-server/servlet/org.apache.catalina.Context/SCRIPTalert(document.domain)/SCRIPT
tomcat-server/servlet/org.apache.catalina.Globals/SCRIPTalert(document.domain)/SCRIPT

Linux and Win32 versions of Tomcat are vulnerable.

(angle brackets omitted)

The DOS device name physical path disclosure bug reported recently by Peter Grundl
can also be used to perform XSS attacks, e.g:

tomcat-server/COM2.IMG%20src="Javascript:alert(document.domain)"

This is obviously Win32 specific.

Vendor Response:
================
None.

Patch Information:
==================

Upgrading to v4.1.3 beta resolves the DOS device name XSS issue.

The workaround for the other XSS issues described above is as follows:

The "invoker" servlet (mapped to /servlet/), which executes anonymous servlet
classes that have not been defined in a web.xml file should be unmapped.

The entry for this can be found in the /tomcat-install-dir/conf/web.xml file.

Two Nessus plugins are available to test for these vulnerabilities from
www.nessus.org:

apache_tomcat_DOS_Device_XSS.nasl
apache_tomcat_Servlet_XSS.nasl

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 87 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
bRpsd 4 files
Google Security Research 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

wp-02-0008.txt

wp-02-0008.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

wp-02-0008.txt

Share This

wp-02-0008.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems