SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Tomcat Vendors:  Apache Software Foundation
Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1020622
SecurityTracker URL:  http://securitytracker.com/id?1020622
CVE Reference:  CVE-2008-1232   (Links to External Site)
Date:  Aug 4 2008
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 4.1.0 to 4.1.37, 5.5.0 to 5.5.26, 6.0.0 to 6.0.16
Description:  A vulnerability was reported in Tomcat. A remote user can conduct cross-site scripting attacks.

The HttpServletResponse.sendError() function does not properly filter HTML code from user-supplied input before displaying the input on an error page. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Tomcat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Konstantin Kolinko reported this vulnerability.
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Tomcat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  The vendor has issued a fixed version (6.0.18).

For version 5.5.x, a fix is available via SVN or via this patch:

http://svn.apache.org/viewvc?rev=680947&view=rev

For version 4.1.x, a fix is available via SVN or via this patch:

http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev

The vendor's advisory is available at:

http://tomcat.apache.org/security.html
Vendor URL:  tomcat.apache.org/security.html (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Mark Thomas <markt@apache.org>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 27 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Oct 3 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Developer Suite.
Oct 3 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Application Server.
Dec 8 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Network Satellite Server.
Feb 24 2009 (VMware Issues Fix for VirtualCenter) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   (VMware Security Announcements <security-announce@lists.vmware.com>)
VMware has issued a fix for VirtualCenter.
Feb 26 2009 (Sun Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
Sun has issued a fix for Solaris 9 and 10 and OpenSolaris.
Jun 16 2009 (CA Issues Fix for CA Service Desk) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   ("Williams, James K" <James.Williams@ca.com>)
CA has issued a fix for CA Service Desk.
Aug 7 2009 (CA Issues Fix for Unicenter Products) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   ("Kotas, Kevin J" <Kevin.Kotas@ca.com>)
CA has issued a fix for CA Unicenter Asset Portfolio Management, Unicenter Desktop and Server Management, and Unicenter Patch Management.
Oct 16 2009 (VMware Issues Fix for ESX Server) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks   (VMware Security Announcements <security-announce@lists.vmware.com>)
VMware has issued a fix for ESX Server 3.5.


 Source Message Contents
Date:  Fri, 01 Aug 2008 15:06:19 +0100
From:  Mark Thomas <markt@apache.org>
Subject:  [CVE-2008-1232] Apache Tomcat XSS vulnerability

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-1232: Apache Tomcat XSS vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of HTTP
response. This may include characters that are illegal in HTTP headers. It
is possible for a specially crafted message to result in arbitrary content
being injected into the HTTP response. For a successful XSS attack,
unfiltered user supplied data must be included in the message argument.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev

4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev

Example:
<%@page contentType="text/html"%>
<%
~  // some unicode characters, that result in CRLF being printed
~  final String CRLF = "\u010D\u010A";

~  final String payload = CRLF + CRLF + "<script
type='text/javascript'>document.write('Hi, there!')</script><div
style='display:none'>";
~  final String message = "Authorization is required to access " + payload;
~  response.sendError(403, message);
%>


Credit:
This issue was discovered by Konstantin Kolinko.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiTGFsACgkQb7IeiTPGAkNG6ACfY+P91mt1/h06Q8c5foCJldFp
9B8An2OvenCD+3nWbLazp6Th+lxWgL7f
=lTUT
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC