Return-Path: 
 <announce-return-987-apmail-announce-archive=apache.org@apache.org>
Delivered-To: apmail-announce-archive@www.apache.org
Received: (qmail 35024 invoked from network); 22 Nov 2010 19:36:16 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 22 Nov 2010 19:36:16 -0000
Received: (qmail 14775 invoked by uid 500); 22 Nov 2010 19:36:33 -0000
Delivered-To: apmail-announce-archive@apache.org
Received: (qmail 14230 invoked by uid 500); 22 Nov 2010 19:36:32 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 66308 invoked by uid 99); 22 Nov 2010 19:03:57 -0000
X-ASF-Spam-Status: No, hits=1.7 required=10.0
	tests=TO_NO_BRKTS_DIRECT,T_FRT_LOLITA1
X-Spam-Check-By: apache.org
Message-ID: <4CEABE79.8030203@apache.org>
Date: Mon, 22 Nov 2010 19:03:21 +0000
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB;
 rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: undisclosed-recipients:;
Subject: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS
 vulnerability
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
  - Not affected in default configuration.
  - Affected if CSRF protection is disabled
  - Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
  - Affected in default configuration
  - Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
  - Not affected

Description:
The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted.

Example:
GET /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Ensure the CSRF protection is enabled
  - Apply the patch 7.0.4 patch (see below)
  - Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Apply the patch for 6.0.29 (see below)
  - Update to 6.0.30 when released

No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.

Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html

Note: The patches 
The Apache Tomcat Security Team


****************
Patch for 6.0.29
****************

Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(working copy)
@@ -30,8 +30,10 @@
 <% String path = (String) request.getAttribute("path");
    Session currentSession = (Session)request.getAttribute("currentSession");
    HttpSession currentHttpSession = currentSession.getSession();
- -   String currentSessionId = currentSession.getId();
- -   String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path);
 %>
 <head>
     <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -45,7 +47,7 @@
 	<title>Sessions Administration: details for <%= currentSessionId %></title>
 </head>
 <body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
  <table style="text-align: left;" border="0">
   <tr>
@@ -54,7 +56,7 @@
   </tr>
   <tr>
     <th>Guessed Locale</th>
- -    <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+    <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
   </tr>
   <tr>
     <th>Guessed User</th>
@@ -120,7 +122,7 @@
    	String attributeName = (String) attributeNamesEnumeration.nextElement();
 %>
 		<tr>
- -			<td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td>
+			<td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" /><input type="submit" value="Remove" /></div></form></td>
 			<td><%= JspHelper.escapeXml(attributeName) %></td>
 			<td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td>
 		</tr>
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionsList.jsp	(revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionsList.jsp	(working copy)
@@ -26,7 +26,9 @@
  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <% String path = (String) request.getAttribute("path");
- -   String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path;
+   String submitUrl = JspHelper.escapeXml(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path);
    Collection activeSessions = (Collection) request.getAttribute("activeSessions");
 %>
 <head>
@@ -38,10 +40,10 @@
 	<meta name="author" content="Cedrik LIME"/>
 	<meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
 	<meta name="robots" content="noindex,nofollow,noarchive"/>
- -	<title>Sessions Administration for <%= path %></title>
+	<title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
 </head>
 <body>
- -<h1>Sessions Administration for <%= path %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
  <p>Tips:</p>
 <ul>
@@ -55,13 +57,13 @@
 <form action="<%= submitUrl %>" method="post" id="sessionsForm">
 	<fieldset><legend>Active HttpSessions informations</legend>
 		<input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
- -		<input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+		<input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
 		<% String order = (String) request.getAttribute("order");
 		   if (order == null || "".equals(order)) {
 		   	order = "ASC";
 		   }
 		%>
- -		<input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+		<input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
 		<input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
 		<%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
 		<table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -95,13 +97,13 @@
 <% Iterator iter = activeSessions.iterator();
    while (iter.hasNext()) {
    	Session currentSession = (Session) iter.next();
- -   	String currentSessionId = currentSession.getId();
+   	String currentSessionId = JspHelper.escapeXml(currentSession.getId());
 %>
 				<tr>
 					<td>
- -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId) %></a>
+<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>" target="_blank"><%= currentSessionId %></a>
 					</td>
- -					<td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+					<td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
 					<td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
 					<td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
 					<td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>



***************
Patch for 7.0.4
***************

Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(revision 1037768)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp	(working copy)
@@ -30,9 +30,10 @@
 <% String path = (String) request.getAttribute("path");
    Session currentSession = (Session)request.getAttribute("currentSession");
    HttpSession currentHttpSession = currentSession.getSession();
- -   String currentSessionId = currentSession.getId();
- -   String submitUrl = response.encodeURL(((HttpServletRequest)
- -           pageContext.getRequest()).getRequestURL().toString());
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path));
 %>
 <head>
     <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -46,7 +47,7 @@
     <title>Sessions Administration: details for <%= currentSessionId %></title>
 </head>
 <body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
  <table style="text-align: left;" border="0">
   <tr>
@@ -55,7 +56,7 @@
   </tr>
   <tr>
     <th>Guessed Locale</th>
- -    <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+    <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
   </tr>
   <tr>
     <th>Guessed User</th>
@@ -89,7 +90,6 @@
  <form method="post" action="<%= submitUrl %>">
   <div>
- -    <input type="hidden" name="path" value="<%= path %>" />
     <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
     <input type="hidden" name="action" value="sessionDetail" />
     <input type="submit" value="Refresh" />
@@ -131,10 +131,9 @@
             <td align="center">
                 <form method="post" action="<%= submitUrl %>">
                     <div>
- -                        <input type="hidden" name="path" value="<%= path %>" />
                         <input type="hidden" name="action" value="removeSessionAttribute" />
                         <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
- -                        <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+                        <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
                         <%
                           if ("Primary".equals(request.getAttribute("sessionType"))) {
                         %>
@@ -156,7 +155,6 @@
  <form method="post" action="<%=submitUrl%>">
   <p style="text-align: center;">
- -    <input type="hidden" name="path" value="<%= path %>" />
     <input type="submit" value="Return to session list" />
   </p>
 </form>
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
===================================================================
- --- webapps/manager/WEB-INF/jsp/sessionsList.jsp	(revision 1037768)
+++ webapps/manager/WEB-INF/jsp/sessionsList.jsp	(working copy)
@@ -28,8 +28,9 @@
  <%@page import="org.apache.catalina.manager.DummyProxySession"%><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <% String path = (String) request.getAttribute("path");
- -   String submitUrl = response.encodeURL(((HttpServletRequest)
- -           pageContext.getRequest()).getRequestURI() + "?path=" + path);
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path));
    Collection activeSessions = (Collection) request.getAttribute("activeSessions");
 %>
 <head>
@@ -41,10 +42,10 @@
     <meta name="author" content="Cedrik LIME"/>
     <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
     <meta name="robots" content="noindex,nofollow,noarchive"/>
- -    <title>Sessions Administration for <%= path %></title>
+    <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
 </head>
 <body>
- -<h1>Sessions Administration for <%= path %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
  <p>Tips:</p>
 <ul>
@@ -58,13 +59,13 @@
 <form action="<%= submitUrl %>" method="post" id="sessionsForm">
     <fieldset><legend>Active HttpSessions informations</legend>
         <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
- -        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
         <% String order = (String) request.getAttribute("order");
            if (order == null || "".equals(order)) {
                order = "ASC";
            }
         %>
- -        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
         <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
         <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
         <table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -100,7 +101,7 @@
 <% Iterator iter = activeSessions.iterator();
    while (iter.hasNext()) {
        Session currentSession = (Session) iter.next();
- -       String currentSessionId = currentSession.getId();
+       String currentSessionId = JspHelper.escapeXml(currentSession.getId());
        String type;
        if (currentSession instanceof DeltaSession) {
            if (((DeltaSession) currentSession).isPrimarySession()) {
@@ -121,13 +122,13 @@
                             out.print(currentSessionId);
                         } else {
                       %>
- -                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= currentSessionId %></a>
                       <%
                         }
                       %>
                     </td>
                     <td style="text-align: center;"><%= type %></td>
- -                    <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
+                    <td style="text-align: center;"><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %></td>
                     <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
                     <td style="text-align: center;"><%= JspHelper.getDisplayCreationTimeForSession(currentSession) %></td>
                     <td style="text-align: center;"><%= JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJM6r54AAoJEBDAHFovYFnn8HEP+gLTkB76D6xNffzu6bWkFXLF
CJDKSeNJcbLeX8AGInTWPA73pndVe4c2uoW8qH31XSzrYyikR5BdQO7Fo3bZ4c1H
4nPdKtBciWxY43nkNQ8ZGXGP1ADDKS43uJioqPm/Hr9hzOYaNSkuw7063CQEB87B
a0wUcG6pIdHMJEgu+CXicMWxQKpLM8IAvnLFmuiv/rkihXsZK1131r5UMX3oApD/
2r82MHqRAetJ1S5h19gYuUKM4wwCrdW1GGUmC3tjA5+ocrUOYKA2WccHLMitDqh3
heoFQ7gLVEgqaFNSVQxYMBT1qqQN+wOxfhsghK2H49ukVdrgA7Vs71vlPz7QGmAq
7mlGQCfa219mSLTxt+G+u9fI3PpghodPwMEY8BeU3GuPDKze72U8oVIedO59rRJZ
i2a1l2ob/sg/L5olyTGqMyu1cwkmx91ZAnovnUqHBpEYxVO4Nzc5N8cicN/+lEnS
MrvsS6UzcZibLZMxmE+ILcVaoygN2wb/ERK05vXG9ou+BzyoufY+LD/aKwDvWcif
oZv00Rl9TlQAbLYwGyUV/jvNXKAwn3WMqq6j1JH/yub+gjy5foit/cryD8N0x5p7
FDXQVcELhnGI9xno6+yXuMWY/z2cmuIZEuGI8Rdg0XtICy7U1Gp3/YZoUFVnU3Qt
QLXR/d5cHVjSXgtvTGGl
=1Wya
-----END PGP SIGNATURE-----