tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chad Johnson" <CJohn...@wspackaging.com>
Subject RE: Jakarta Tomcat 4.1 XSS vulnerability
Date Mon, 29 Sep 2003 19:50:24 GMT
Hey,
  Just thought I'd pop in on this one.  Fairly standard XSS attack:

-Insert/execute javascript to pull some key piece of data (ex. value of
the jsessionid cookie)
-This same bit of javascript will then make a http request (through one
several means) to an attackers website which involves that key piece of
data (ex. as a get parameter)

Now I'm not sure if TC uses some additional authentication methods to
prevent this from being an issue (ex. a session can only come from one
ip).  So this may or may not be a valid scenario.

Chad Johnson
Web Services Developer
WS Packaging Group, Inc.


-----Original Message-----
From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com] 
Sent: Monday, September 29, 2003 2:34 PM
To: Tomcat Developers List
Subject: RE: Jakarta Tomcat 4.1 XSS vulnerability



Howdy,
This is interesting, hopefully you won't mind educating me a bit
further...

>> - Is it really a vulnerability?  What can you get from this
"exploit"?
>
>You can hijack the user's session or steal information from a user's 
>cookie pretty easily with a XSS flaw such as this one.

How would you "hijack" the user's session?  By that do you mean just
getting the session ID from the JSESSION cookie on the user's
hard-drive?

>That's not the problem.  If you look at the trace in my previous post,
the
>problem is that the javascript was printed out un-encoded before any of

>the response headers.  You can try plugging in the URL in your browser 
>(just tack on "666%0a%0a<script>alert("asdf");</script>666.jsp" a URL)
and
>you will receive a Javascript alert "asdf".  Malicious users could 
>obviously write something much more malicious than a simple alert used
as
>the example.

But whatever a malicious user writes would be executed on their own PC,
right?  It won't run on the tomcat server or on anyone else's machines.
So the worst they can do is harm their own PC?  Or did I misunderstand
something?

Yoav Shapira



This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended only for the
individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message