SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Manager Input Validation Hole in 'sessionList.jsp' Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1024764
SecurityTracker URL:  http://securitytracker.com/id/1024764
CVE Reference:   CVE-2010-4172   (Links to External Site)
Date:  Nov 22 2010
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.0.12 to 6.0.29, 7.0.0 to 7.0.4
Description:   A vulnerability was reported in Apache Tomcat Manager. A remote user can conduct cross-site scripting attacks.

The Apache Tomcat Manager application not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Tomcat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'orderBy' and 'sort request' parameters in the session list screen (sessionList.jsp) are affected.

A demonstration exploit request is provided:

GET /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list

Versions 7.0.0 to 7.0.4 are not affected in the default configuration.

Adam Muntner of Gotham Digital Science reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Tomcat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a patch for 6.0.29 and 7.0.4.

The fix will be included in future versions 6.0.30 and 7.0.5.

Vendor URL:  tomcat.apache.org/security-7.html (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 20 2011 (Red Hat Issues Fix) Apache Tomcat Manager Input Validation Hole in 'sessionList.jsp' Permits Cross-Site Scripting Attacks   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents

Date:  Mon, 22 Nov 2010 19:03:21 +0000
Subject:  [Full-disclosure] [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
  - Not affected in default configuration.
  - Affected if CSRF protection is disabled
  - Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
  - Affected in default configuration
  - Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
  - Not affected

Description:
The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted.

Example:
GET /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Ensure the CSRF protection is enabled
  - Apply the patch 7.0.4 patch (see below)
  - Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Apply the patch for 6.0.29 (see below)
  - Update to 6.0.30 when released

No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.

Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html

Note: The patches 
The Apache Tomcat Security Team


****************
Patch for 6.0.29
****************

Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(working copy)
@@ -30,8 +30,10 @@
 <% String path = (String) request.getAttribute("path");
    Session currentSession = (Session)request.getAttribute("currentSession");
    HttpSession currentHttpSession = currentSession.getSession();
- -   String currentSessionId = currentSession.getId();
- -   String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path);
 %>
 <head>
     <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -45,7 +47,7 @@
 	<title>Sessions Administration: details for <%= currentSessionId %></title>
 </head>
 <body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
  <table style="text-align: left;" border="0">
   <tr>
@@ -54,7 +56,7 @@
   </tr>
   <tr>
     <th>Guessed Locale</th>
- -    <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+    <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
   </tr>
   <tr>
     <th>Guessed User</th>
@@ -120,7 +122,7 @@
    	String attributeName = (String) attributeNamesEnumeration.nextElement();
 %>
 		<tr>
- -			<td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td>
+			<td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" /><input type="submit" value="Remove" /></div></form></td>
 			<td><%= JspHelper.escapeXml(attributeName) %></td>
 			<td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td>
 		</tr>
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionsList.jsp	(revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionsList.jsp	(working copy)
@@ -26,7 +26,9 @@
  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <% String path = (String) request.getAttribute("path");
- -   String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path;
+   String submitUrl = JspHelper.escapeXml(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path);
    Collection activeSessions = (Collection) request.getAttribute("activeSessions");
 %>
 <head>
@@ -38,10 +40,10 @@
 	<meta name="author" content="Cedrik LIME"/>
 	<meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
 	<meta name="robots" content="noindex,nofollow,noarchive"/>
- -	<title>Sessions Administration for <%= path %></title>
+	<title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
 </head>
 <body>
- -<h1>Sessions Administration for <%= path %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
  <p>Tips:</p>
 <ul>
@@ -55,13 +57,13 @@
 <form action="<%= submitUrl %>" method="post" id="sessionsForm">
 	<fieldset><legend>Active HttpSessions informations</legend>
 		<input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
- -		<input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+		<input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
 		<% String order = (String) request.getAttribute("order");
 		   if (order == null || "".equals(order)) {
 		   	order = "ASC";
 		   }
 		%>
- -		<input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+		<input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
 		<input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
 		<%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
 		<table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -95,13 +97,13 @@
 <% Iterator iter = activeSessions.iterator();
    while (iter.hasNext()) {
    	Session currentSession = (Session) iter.next();
- -   	String currentSessionId = currentSession.getId();
+   	String currentSessionId = JspHelper.escapeXml(currentSession.getId());
 %>
 				<tr>
 					<td>
- -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId) %></a>
+<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>" target="_blank"><%= currentSessionId %></a>
 					</td>
- -					<td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+					<td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
 					<td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
 					<td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
 					<td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>



***************
Patch for 7.0.4
***************

Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(revision 1037768)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(working copy)
@@ -30,9 +30,10 @@
 <% String path = (String) request.getAttribute("path");
    Session currentSession = (Session)request.getAttribute("currentSession");
    HttpSession currentHttpSession = currentSession.getSession();
- -   String currentSessionId = currentSession.getId();
- -   String submitUrl = response.encodeURL(((HttpServletRequest)
- -           pageContext.getRequest()).getRequestURL().toString());
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path));
 %>
 <head>
     <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -46,7 +47,7 @@
     <title>Sessions Administration: details for <%= currentSessionId %></title>
 </head>
 <body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
  <table style="text-align: left;" border="0">
   <tr>
@@ -55,7 +56,7 @@
   </tr>
   <tr>
     <th>Guessed Locale</th>
- -    <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+    <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
   </tr>
   <tr>
     <th>Guessed User</th>
@@ -89,7 +90,6 @@
  <form method="post" action="<%= submitUrl %>">
   <div>
- -    <input type="hidden" name="path" value="<%= path %>" />
     <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
     <input type="hidden" name="action" value="sessionDetail" />
     <input type="submit" value="Refresh" />
@@ -131,10 +131,9 @@
             <td align="center">
                 <form method="post" action="<%= submitUrl %>">
                     <div>
- -                        <input type="hidden" name="path" value="<%= path %>" />
                         <input type="hidden" name="action" value="removeSessionAttribute" />
                         <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
- -                        <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+                        <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
                         <%
                           if ("Primary".equals(request.getAttribute("sessionType"))) {
                         %>
@@ -156,7 +155,6 @@
  <form method="post" action="<%=submitUrl%>">
   <p style="text-align: center;">
- -    <input type="hidden" name="path" value="<%= path %>" />
     <input type="submit" value="Return to session list" />
   </p>
 </form>
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionsList.jsp	(revision 1037768)
+++ webapps/manager/WEB-INF/jsp/sessionsList.jsp	(working copy)
@@ -28,8 +28,9 @@
  <%@page import="org.apache.catalina.manager.DummyProxySession"%><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <% String path = (String) request.getAttribute("path");
- -   String submitUrl = response.encodeURL(((HttpServletRequest)
- -           pageContext.getRequest()).getRequestURI() + "?path=" + path);
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path));
    Collection activeSessions = (Collection) request.getAttribute("activeSessions");
 %>
 <head>
@@ -41,10 +42,10 @@
     <meta name="author" content="Cedrik LIME"/>
     <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
     <meta name="robots" content="noindex,nofollow,noarchive"/>
- -    <title>Sessions Administration for <%= path %></title>
+    <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
 </head>
 <body>
- -<h1>Sessions Administration for <%= path %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
  <p>Tips:</p>
 <ul>
@@ -58,13 +59,13 @@
 <form action="<%= submitUrl %>" method="post" id="sessionsForm">
     <fieldset><legend>Active HttpSessions informations</legend>
         <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
- -        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
         <% String order = (String) request.getAttribute("order");
            if (order == null || "".equals(order)) {
                order = "ASC";
            }
         %>
- -        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
         <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
         <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
         <table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -100,7 +101,7 @@
 <% Iterator iter = activeSessions.iterator();
    while (iter.hasNext()) {
        Session currentSession = (Session) iter.next();
- -       String currentSessionId = currentSession.getId();
+       String currentSessionId = JspHelper.escapeXml(currentSession.getId());
        String type;
        if (currentSession instanceof DeltaSession) {
            if (((DeltaSession) currentSession).isPrimarySession()) {
@@ -121,13 +122,13 @@
                             out.print(currentSessionId);
                         } else {
                       %>
- -                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= currentSessionId %></a>
                       <%
                         }
                       %>
                     </td>
                     <td style="text-align: center;"><%= type %></td>
- -                    <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+                    <td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
                     <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
                     <td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
                     <td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJM6r54AAoJEBDAHFovYFnn8HEP+gLTkB76D6xNffzu6bWkFXLF
CJDKSeNJcbLeX8AGInTWPA73pndVe4c2uoW8qH31XSzrYyikR5BdQO7Fo3bZ4c1H
4nPdKtBciWxY43nkNQ8ZGXGP1ADDKS43uJioqPm/Hr9hzOYaNSkuw7063CQEB87B
a0wUcG6pIdHMJEgu+CXicMWxQKpLM8IAvnLFmuiv/rkihXsZK1131r5UMX3oApD/
2r82MHqRAetJ1S5h19gYuUKM4wwCrdW1GGUmC3tjA5+ocrUOYKA2WccHLMitDqh3
heoFQ7gLVEgqaFNSVQxYMBT1qqQN+wOxfhsghK2H49ukVdrgA7Vs71vlPz7QGmAq
7mlGQCfa219mSLTxt+G+u9fI3PpghodPwMEY8BeU3GuPDKze72U8oVIedO59rRJZ
i2a1l2ob/sg/L5olyTGqMyu1cwkmx91ZAnovnUqHBpEYxVO4Nzc5N8cicN/+lEnS
MrvsS6UzcZibLZMxmE+ILcVaoygN2wb/ERK05vXG9ou+BzyoufY+LD/aKwDvWcif
oZv00Rl9TlQAbLYwGyUV/jvNXKAwn3WMqq6j1JH/yub+gjy5foit/cryD8N0x5p7
FDXQVcELhnGI9xno6+yXuMWY/z2cmuIZEuGI8Rdg0XtICy7U1Gp3/YZoUFVnU3Qt
QLXR/d5cHVjSXgtvTGGl
=1Wya
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC