Apache Tomcat Input Validation Hole in Processing Accept-Language Header Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1018269
|
|
SecurityTracker URL: http://securitytracker.com/id?1018269
|
|
CVE Reference: CVE-2007-1358
(Links to External Site)
|
Date: Jun 19 2007
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.0.0 to 4.0.6, 4.1.0 to 4.1.34, 5.0.0 to 5.0.30, 5.5.0 to 5.5.20, 6.0.0 to 6.0.5
|
Description: A vulnerability was reported in Apache Tomcat. A remote user can conduct cross-site scripting attacks.
The server may not not properly filter HTML code from user-supplied input in the 'Accept-Language' header before displaying the input.
A remote user can create cause arbitrary scripting code to be executed by the target user's browser in certain cases. The code
will originate from the site running the Tomcat software and will run in the security context of that site. As a result, the code
will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data
recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
This can
be exploited via "older" versions of the Flash player, where Flash files can make requests with arbitrary header values.
Masato
Anzai and Toshiharu Sugiyama reported this vulnerability.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Tomcat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: The vendor has issued fixed versions.
|
Vendor URL: tomcat.apache.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Mark Thomas <markt@apache.org>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 18 Jun 2007 19:30:20 -0400
From: Mark Thomas <markt@apache.org>
Subject: [CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language
header processing
Severity:
Low (cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.0.0 to 4.0.6
Tomcat 4.1.0 to 4.1.34
Tomcat 5.0.0 to 5.0.30
Tomcat 5.5.0 to 5.5.20
Tomcat 6.0.0 to 6.0.5
Description:
Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted
malicious Flash files to make requests with such custom headers.
Tomcat now ignores invalid values for Accept-Language headers that do
not conform to RFC 2616.
Mitigation:
1. Upgrade to fixed version
2. Escape values obtained from Accept-Language header before use.
Credit:
This issue was reported by Masato Anzai and Toshiharu Sugiyama.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGdxWMb7IeiTPGAkMRAgDgAJkBG6sVBDP/8yxGrZ7CqvEXPNW1mACgiL8M
CyWgpvE5125qciTSYPJbOgU=
=A84r
-----END PGP SIGNATURE-----
|
|
