Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: bx3941.htm

Apache Tomcat XSS vulnerability



Apache Tomcat XSS vulnerability
Apache Tomcat XSS vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-1232: Apache Tomcat XSS vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of HTTP
response. This may include characters that are illegal in HTTP headers. It
is possible for a specially crafted message to result in arbitrary content
being injected into the HTTP response. For a successful XSS attack,
unfiltered user supplied data must be included in the message argument.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev 

4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680947&view=rev (connector only) 
http://svn.apache.org/viewvc?rev=680948&view=rev 

Example:
<%@page contentType="text/html"%>
<%
~  // some unicode characters, that result in CRLF being printed
~  final String CRLF = "\u010D\u010A";

~  final String payload = CRLF + CRLF + "
"; ~ final String message = "Authorization is required to access " + payload; ~ response.sendError(403, message); %> Credit: This issue was discovered by Konstantin Kolinko. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiTGFsACgkQb7IeiTPGAkNG6ACfY+P91mt1/h06Q8c5foCJldFp 9B8An2OvenCD+3nWbLazp6Th+lxWgL7f =lTUT -----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH