Apache Tomcat Input Validation Hole in Processing Accept-Language Header Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1018269|
SecurityTracker URL: http://securitytracker.com/id/1018269
(Links to External Site)
Date: Jun 19 2007
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 4.0.0 to 4.0.6, 4.1.0 to 4.1.34, 5.0.0 to 5.0.30, 5.5.0 to 5.5.20, 6.0.0 to 6.0.5|
A vulnerability was reported in Apache Tomcat. A remote user can conduct cross-site scripting attacks.|
The server may not not properly filter HTML code from user-supplied input in the 'Accept-Language' header before displaying the input. A remote user can create cause arbitrary scripting code to be executed by the target user's browser in certain cases. The code will originate from the site running the Tomcat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
This can be exploited via "older" versions of the Flash player, where Flash files can make requests with arbitrary header values.
Masato Anzai and Toshiharu Sugiyama reported this vulnerability.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Tomcat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
The vendor has issued fixed versions.|
Vendor URL: tomcat.apache.org/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language|
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language
Low (cross-site scripting)
The Apache Software Foundation
Tomcat 4.0.0 to 4.0.6
Tomcat 4.1.0 to 4.1.34
Tomcat 5.0.0 to 5.0.30
Tomcat 5.5.0 to 5.5.20
Tomcat 6.0.0 to 6.0.5
Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted
malicious Flash files to make requests with such custom headers.
Tomcat now ignores invalid values for Accept-Language headers that do
not conform to RFC 2616.
1. Upgrade to fixed version
2. Escape values obtained from Accept-Language header before use.
This issue was reported by Masato Anzai and Toshiharu Sugiyama.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----