lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 19 Jun 2007 09:06:21 +0530
From: "Debasis Mohanty" <debasis.mohanty.listmails@...il.com>
To: "Mark Thomas" <markt@...che.org>
Cc: Tomcat Developers List <dev@...cat.apache.org>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	Tomcat Users List <users@...cat.apache.org>
Subject: Re: [CVE-2007-1358] Apache Tomcat XSS
	vulnerability in Accept-Language header processing

the funny part is I hit this issue everytime I assess an application
configured with tomcat and was under the impression that it is already
a known issue... :)

On 6/19/07, Mark Thomas <markt@...che.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language
> header processing
>
> Severity:
> Low (cross-site scripting)
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Tomcat 4.0.0 to 4.0.6
> Tomcat 4.1.0 to 4.1.34
> Tomcat 5.0.0 to 5.0.30
> Tomcat 5.5.0 to 5.5.20
> Tomcat 6.0.0 to 6.0.5
>
> Description:
> Web pages that display the Accept-Language header value sent by the
> client are susceptible to a cross-site scripting attack if they assume
> the Accept-Language header value conforms to RFC 2616. Under normal
> circumstances this would not be possible to exploit, however older
> versions of Flash player were known to allow carefully crafted
> malicious Flash files to make requests with such custom headers.
> Tomcat now ignores invalid values for Accept-Language headers that do
> not conform to RFC 2616.
>
> Mitigation:
> 1. Upgrade to fixed version
> 2. Escape values obtained from Accept-Language header before use.
>
> Credit:
> This issue was reported by Masato Anzai and Toshiharu Sugiyama.
>
> References:
> http://tomcat.apache.org/security.html
>
> Mark Thomas
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGdxWMb7IeiTPGAkMRAgDgAJkBG6sVBDP/8yxGrZ7CqvEXPNW1mACgiL8M
> CyWgpvE5125qciTSYPJbOgU=
> =A84r
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ