SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
(Red Hat Issues Fix) Tomcat Input Validation Holes in the JSP Examples, Manager, and Host Manager Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1018400
SecurityTracker URL:  http://securitytracker.com/id/1018400
CVE Reference:   CVE-2007-2449, CVE-2007-2450   (Links to External Site)
Date:  Jul 17 2007
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.0 to 4.0.6, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, 6.0.0 to 6.0.13
Description:   Two vulnerabilities were reported in Tomcat. A remote user can conduct cross-site scripting attacks.

The JSP examples web application does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Tomcat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]:[port]/jsp-examples/snp/snoop.jsp;<script>alert()</script>test.jsp

This vulnerability was reported to JPCERT by a researcher.

The Tomcat Manager and Host Manager web applications also do not properly filter HTML code. A remote user can conduct cross-site scripting attacks against authenticated target users.

Daiki Fukumori, Secure Sky Technology, discovered this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Tomcat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   Red Hat has released a fix.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2007-0569.html

Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  5

Message History:   This archive entry is a follow-up to the message listed below.
Jun 14 2007 Tomcat Input Validation Holes in the JSP Examples, Manager, and Host Manager Permit Cross-Site Scripting Attacks



 Source Message Contents

Subject:  [RHSA-2007:0569-01] Moderate: tomcat security update


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: tomcat security update
Advisory ID:       RHSA-2007:0569-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0569.html
Issue date:        2007-07-17
Updated on:        2007-07-17
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-2449 CVE-2007-2450 
- ---------------------------------------------------------------------

1. Summary:

Updated tomcat packages that fix two security issues and a packaging bug
are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

Tomcat is a servlet container for Java Servlet and JavaServer Pages (JSP)
technologies.

Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).

Note: it is recommended the 'examples' web application not be installed on
a production system.

The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).

Users of Tomcat should update to these erratum packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

244804 - CVE-2007-2449 tomcat examples jsp XSS
244808 - CVE-2007-2450 tomcat host manager XSS
244846 - /var/tmp/rpm-tmp.25596: line 5: /usr/bin/rebuild-gcj-db: No such file or directory

6. RPMs required:

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm
15852dbd79c1d28ddc2a607b8c2cced6  tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm

i386:
e04e3a9648ee9f94f38bd76951d23fb7  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.i386.rpm
3100ed0342502126a609c5c15e78c764  tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.i386.rpm
47ffd27d607f4755b5da7fa1a65c5c48  tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.i386.rpm

x86_64:
0f3219dedf2d15538133cb8a13310b8b  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
cbfcdf5f827921a71fda67293f3e44a7  tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
c25daaf3feb30744afc65c08a359635b  tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm
15852dbd79c1d28ddc2a607b8c2cced6  tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm

i386:
afa9a78630f8858f46db1434ad45fa7b  tomcat5-5.5.23-0jpp.1.0.4.el5.i386.rpm
8c0ecbce40287f71f530360b0a769361  tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm
7f2628a9557c146febed5442c522a6e0  tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
e04e3a9648ee9f94f38bd76951d23fb7  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.i386.rpm
bc130f7c90ee690dc860712461ab9f82  tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.i386.rpm
b653cc7d8aae4bb246079a9a9ce950d8  tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
80429d018c31e87244213a9762ad10d3  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
3e564a9d6f0abf8f74ac5fe00cc3de25  tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
b8f6d1c37c68d463fbdee1426352618d  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
7b4b8e5a891d09005bc8a1d2e1194d99  tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm

x86_64:
1db5f282b62d759beda12cf35f83734f  tomcat5-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
74544541ba072e94b9970b5919db3892  tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
3694bc19303c73cd46e75ca23d1051a4  tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
0f3219dedf2d15538133cb8a13310b8b  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
901f900e947eb38b8d17ef31238523cc  tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
6835af3f3c0b9aa0deddac7e67ed79e0  tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
c4df3c21719e1cf5d38c19491651aa7e  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
0d5f131c789ca95f59d0886939aa8fe7  tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
66c20908529976c99cbf6bb41eecfbee  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
672951c48aacff47f1124c896445b887  tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm
15852dbd79c1d28ddc2a607b8c2cced6  tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm

i386:
afa9a78630f8858f46db1434ad45fa7b  tomcat5-5.5.23-0jpp.1.0.4.el5.i386.rpm
8c0ecbce40287f71f530360b0a769361  tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm
7f2628a9557c146febed5442c522a6e0  tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
e04e3a9648ee9f94f38bd76951d23fb7  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.i386.rpm
bc130f7c90ee690dc860712461ab9f82  tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.i386.rpm
b653cc7d8aae4bb246079a9a9ce950d8  tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
3100ed0342502126a609c5c15e78c764  tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.i386.rpm
80429d018c31e87244213a9762ad10d3  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
3e564a9d6f0abf8f74ac5fe00cc3de25  tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
47ffd27d607f4755b5da7fa1a65c5c48  tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.i386.rpm
b8f6d1c37c68d463fbdee1426352618d  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
7b4b8e5a891d09005bc8a1d2e1194d99  tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm

ia64:
1fbb19614a5c9a5d72c120e29b5094d3  tomcat5-5.5.23-0jpp.1.0.4.el5.ia64.rpm
77b1bf61e1ccb7e2af21d93105951997  tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.ia64.rpm
e1b01f270313d22a6b957c4336352bd6  tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.ia64.rpm
be47ede5989fbd0dc4398d839efd142c  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.ia64.rpm
e1d93c56b0d3730914fe90694e7db9cd  tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.ia64.rpm
9205bc162daa17e9f6314ed14e1f31bb  tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm
55ae893c5887213a4cc85cff3f482ec3  tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.ia64.rpm
cf286fcf847a5325c0b3d2c8c1ff1c58  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm
b404c9faa4503e4fe41d1fe8b3a4a721  tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.ia64.rpm
d697720c77f93baaada1540e35913198  tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.ia64.rpm
56e8a796da04decd34bee5ba8616c284  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm
fd8352214a62573bd2456c252f8fc186  tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.ia64.rpm

ppc:
f8625d3b5ef073ac8de77b1bdf9f01a4  tomcat5-5.5.23-0jpp.1.0.4.el5.ppc.rpm
d7804d9e2ee85e8adaadc3695f9a1fcf  tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.ppc.rpm
861f24537832282f47248a4d494eaad5  tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.ppc.rpm
0dbaa701244414a6babde13da3698129  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.ppc.rpm
36cee8546f804c0ea91fad586d9db6cd  tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.ppc.rpm
e84767196956742319016c08fc59f4b9  tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm
05085799e57547f7b95370cf93097ad1  tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.ppc.rpm
a9ff8fe3c28adfacc923accc2e02238f  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm
a32d42fb280bb96daa06abd576a315a2  tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.ppc.rpm
37746d0e7931671779fbad9b61877703  tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.ppc.rpm
d91221a346ce66fa021701440b6bc429  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm
2d1ab7c457ae33a9fe00f13c6a0f8b6a  tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.ppc.rpm

s390x:
3d86afce9e1b0a269701b5b2225d0ebb  tomcat5-5.5.23-0jpp.1.0.4.el5.s390x.rpm
36b7b3706abeda4f31fdce022e6f266d  tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.s390x.rpm
deabcb46f038caa0aff7f173e2430db7  tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.s390x.rpm
f67b472f1d874f64f287a407f3c8e608  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.s390x.rpm
3e2c4780d83adf2ec2f75dabeeebc573  tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.s390x.rpm
8e0ecac842e2079335a0a12a588b6cbc  tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm
3389c6531f4ab0df5644f9a75890f798  tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.s390x.rpm
fb0e8d1800a1154fdf9685e657471db5  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm
0a7e68052ce02e1f12561c4ba81804b9  tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.s390x.rpm
36d5b39eab1d8319e35672856ce73732  tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.s390x.rpm
a5b178ad39e13481070be36675b936f0  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm
b76e10eb457da5b811e8b340400e872b  tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.s390x.rpm

x86_64:
1db5f282b62d759beda12cf35f83734f  tomcat5-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
74544541ba072e94b9970b5919db3892  tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
3694bc19303c73cd46e75ca23d1051a4  tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
0f3219dedf2d15538133cb8a13310b8b  tomcat5-debuginfo-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
901f900e947eb38b8d17ef31238523cc  tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
6835af3f3c0b9aa0deddac7e67ed79e0  tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
cbfcdf5f827921a71fda67293f3e44a7  tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
c4df3c21719e1cf5d38c19491651aa7e  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
0d5f131c789ca95f59d0886939aa8fe7  tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
c25daaf3feb30744afc65c08a359635b  tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
66c20908529976c99cbf6bb41eecfbee  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
672951c48aacff47f1124c896445b887  tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450
http://tomcat.apache.org/security-5.html
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFGnJvQXlSAg2UNWIIRAvWNAKCAmMjPvRMQQAn2bY8ZsznT/MNYCwCeOGkt
Yj7fPKtDEzYnYsW4hs49H5A=
=UBUR
-----END PGP SIGNATURE-----



-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC