| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 May 2019 11:44:41 -0400 From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com> To: fulldisclosure@...lists.org Subject: [FD] XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221 [Original blog post here: https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/] SUMMARY Apache Tomcat had a vulnerability in its SSI implementation which could be used to achieve cross site scripting (XSS). This is only exploitable if SSI is enabled and the “printenv” directive is used which is unlikely in a production system. The vendor has rated this as a Low severity issue. A fix was released in versions 7.0.94, 8.5.40 and 9.0.19. Users are encouraged to upgrade as soon as possible. CVE-2019-0221 has been assigned to track this issue. VULNERABILITY DETAILS Server Side Includes (SSI) is a simple scripting language used server-side in some web servers for functionality like including files, echoing values of variables and displaying basic information about files. Note that these ARE NOT environment variables but are specific to SSI. They either have been set by the user or contain information about the incoming HTTP request (see full list here: https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html#Variables). The “echo” directive prints out value of a single variable while the “printenv” directive prints out values of all variables. Both of these directives output HTML. The Apache Tomcat implementation correctly escapes XSS values when using the “echo”directive but not for the “printenv” directive. As the result, if an application is using this directive, an attacker can inject malicious input causing it to output and cause XSS. The fix is to add encoding as seen in this commit: https://github.com/apache/tomcat/commit/15fcd16 In order to exploit this, several things have to true: 1. SSI support has to be enabled in Apache Tomcat – either globally or on a specific web application. It is NOT ENABLED by default. 2. A file with the “printenv” SSI directive must exist within the web application (usually “.shtml”). 3. That file must be accessible to the attacker. STEPS TO REPLICATE 1. Install a Java Runtime Environment (JRE) in Windows. 2. Download a vulnerable version of Tomcat and extract. 3. Modify the conf\context.xml file on line 19, to enable privileged context (this can also be done on individual applications instead of globally): Context privileged="true"> 4. Modify conf\web.xml to enable the SSI Servlet as per instructions here [https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html] (this can also be done on individual applications instead of globally). 5. Put the following code in “webapps/ROOT/ssi/printenv.shtml”: <html><head><title></title><body> Echo test: <!--#echo var="QUERY_STRING_UNESCAPED" --><br/><br/> Printenv test: <!--#printenv --> </body></html> 6. Run Tomcat via the following command: cd bin catalina run 7. Call the following URLs to observe XSS (may need to use FireFox). Observe the difference between “echo” directive which escapes properly and the “printenv” directive which doesn’t escape properly http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E VENDOR RESPONSE This issue was responsibly reported to the vendor via the EU FOSSA bounty program operated by Intigriti. The vendor assigned CVE-2019-0221 to track this issue and provided a fix. The vendor rated this issue as “Low Impact” on the following basis: - SSI is disabled by default - hardly anyone uses SSI - printenv is really a debug command that you would not expect to find used in a production system The vendor also indicated that if there was a lower impact level, they would have used it as they consider the chances of a production system being exposed to this vulnerability to be very close to zero. The vendor indicated that the following versions are vulnerable (no information is available on earlier versions): - Tomcat 9 – versions 9.0.0.M1 through 9.0.17 (9.0.18 is not affected) - Tomcat 8 – versions 8.5.0 to 8.5.39 - Tomcat 7 – versions 7.0.0 to 7.0.93 Users are encouraged to upgrade to the following fixed versions or later: - Tomcat 9 – version 9.0.19 - Tomcat 8 – version 8.5.40 - Tomcat 7 – version 7.0.94 BOUNTY INFORMATION This report satisfied the requirement of the EU FOSSA bounty program and a bounty has been paid. REFERENCES Apache SSI reference: see here – mod_include - https://httpd.apache.org/docs/current/mod/mod_include.html#page-header CVE-ID: CVE-2019-0221 CVSS 2.0 Score: pending CVSS 3.0 Score: pending Tomcat SSI documentation: see here - https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html Vendor advisory: see here - http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E CREDITS Text of the advisory written by Y. Shafranovich. TIMELINE 2019-02-17: Initial report submitted to the platform 2019-02-19: Initial report validated by the platform 2019-03-12: Report accepted by the vendor 2019-05-17: Public advisory issued by the vendor 2019-05-27: Public disclosure by reporter _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists