SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1020622
SecurityTracker URL:  http://securitytracker.com/id/1020622
CVE Reference:   CVE-2008-1232   (Links to External Site)
Date:  Aug 4 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1.0 to 4.1.37, 5.5.0 to 5.5.26, 6.0.0 to 6.0.16
Description:   A vulnerability was reported in Tomcat. A remote user can conduct cross-site scripting attacks.

The HttpServletResponse.sendError() function does not properly filter HTML code from user-supplied input before displaying the input on an error page. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Tomcat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Konstantin Kolinko reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Tomcat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fixed version (6.0.18).

For version 5.5.x, a fix is available via SVN or via this patch:

http://svn.apache.org/viewvc?rev=680947&view=rev

For version 4.1.x, a fix is available via SVN or via this patch:

http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev

The vendor's advisory is available at:

http://tomcat.apache.org/security.html

Vendor URL:  tomcat.apache.org/security.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 27 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Oct 3 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Developer Suite.
Oct 3 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Application Server.
Dec 8 2008 (Red Hat Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Network Satellite Server.
Feb 24 2009 (VMware Issues Fix for VirtualCenter) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
VMware has issued a fix for VirtualCenter.
Feb 26 2009 (Sun Issues Fix) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
Sun has issued a fix for Solaris 9 and 10 and OpenSolaris.
Jun 16 2009 (CA Issues Fix for CA Service Desk) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
CA has issued a fix for CA Service Desk.
Aug 7 2009 (CA Issues Fix for Unicenter Products) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
CA has issued a fix for CA Unicenter Asset Portfolio Management, Unicenter Desktop and Server Management, and Unicenter Patch Management.
Oct 16 2009 (VMware Issues Fix for ESX Server) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
VMware has issued a fix for ESX Server 3.5.



 Source Message Contents

Subject:  [CVE-2008-1232] Apache Tomcat XSS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-1232: Apache Tomcat XSS vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of HTTP
response. This may include characters that are illegal in HTTP headers. It
is possible for a specially crafted message to result in arbitrary content
being injected into the HTTP response. For a successful XSS attack,
unfiltered user supplied data must be included in the message argument.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev

4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev

Example:
<%@page contentType="text/html"%>
<%
~  // some unicode characters, that result in CRLF being printed
~  final String CRLF = "\u010D\u010A";

~  final String payload = CRLF + CRLF + "<script
type='text/javascript'>document.write('Hi, there!')</script><div
style='display:none'>";
~  final String message = "Authorization is required to access " + payload;
~  response.sendError(403, message);
%>


Credit:
This issue was discovered by Konstantin Kolinko.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiTGFsACgkQb7IeiTPGAkNG6ACfY+P91mt1/h06Q8c5foCJldFp
9B8An2OvenCD+3nWbLazp6Th+lxWgL7f
=lTUT
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC