tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Rees" <...@greenhydrant.com>
Subject RE: Jakarta Tomcat 4.1 XSS vulnerability
Date Mon, 29 Sep 2003 19:31:37 GMT
On Mon, September 29, 2003 1at 1:57 am, Shapira, Yoav sent the following
> I'm not a big security buff, but three things come to mind:
> - The original post with the "exploit" is more than a year old, yet we
> haven't heard anything about this actually used maliciously -- how come?

Can't answer this one myself...

> - Is it really a vulnerability?  What can you get from this "exploit"?

You can hijack the user's session or steal information from a user's
cookie pretty easily with a XSS flaw such as this one.

> All I see is tomcat returning a 404 (not found) response with the
> javascript specified in the GET request, but javascript is executed on
> the client anyhow, so who cares?
> - What would the fix be?  Not include the requested URL in the default
> 404 response page?

That's not the problem.  If you look at the trace in my previous post, the
problem is that the javascript was printed out un-encoded before any of
the response headers.  You can try plugging in the URL in your browser
(just tack on "666%0a%0a<script>alert("asdf");</script>666.jsp" a URL) and
you will receive a Javascript alert "asdf".  Malicious users could
obviously write something much more malicious than a simple alert used as
the example.

-Dave


Mime
View raw message