lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 01 Aug 2008 15:06:19 +0100
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>,
	Tomcat Developers List <dev@...cat.apache.org>,
	bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [CVE-2008-1232] Apache Tomcat XSS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-1232: Apache Tomcat XSS vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of HTTP
response. This may include characters that are illegal in HTTP headers. It
is possible for a specially crafted message to result in arbitrary content
being injected into the HTTP response. For a successful XSS attack,
unfiltered user supplied data must be included in the message argument.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev

4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev

Example:
<%@...e contentType="text/html"%>
<%
~  // some unicode characters, that result in CRLF being printed
~  final String CRLF = "\u010D\u010A";

~  final String payload = CRLF + CRLF + "<script
type='text/javascript'>document.write('Hi, there!')</script><div
style='display:none'>";
~  final String message = "Authorization is required to access " + payload;
~  response.sendError(403, message);
%>


Credit:
This issue was discovered by Konstantin Kolinko.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiTGFsACgkQb7IeiTPGAkNG6ACfY+P91mt1/h06Q8c5foCJldFp
9B8An2OvenCD+3nWbLazp6Th+lxWgL7f
=lTUT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists