[ANNOUNCE] Commons NET 2.2 released
The Apache Commons::Net team are pleased to announce the release of Commons::Net version 2.2. This is primarily a maintenance release, but it also includes some new features and enhancements. Users of version 2.0 are encouraged to upgrade to 2.2, as this release includes some important bug fixes. A summary of the changes is available here: http://commons.apache.org/net/changes-report.html#a2.2 Binaries and source jars are available from the usual download locations.
[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.4 - Not affected in default configuration. - Affected if CSRF protection is disabled - Additional XSS issues if web applications are untrusted - - Tomcat 6.0.12 to 6.0.29 - Affected in default configuration - Additional XSS issues if web applications are untrusted - - Tomcat 5.5.x - Not affected Description: The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack. Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker. A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted. Example: GET /manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list Mitigation: Users of affected versions should apply one of the following mitigations - - Tomcat 7.0.0 to 7.0.4 - Remove the Manager application - Remove the sessionList.jsp and sessionDetail.jsp files - Ensure the CSRF protection is enabled - Apply the patch 7.0.4 patch (see below) - Update to 7.0.5 when released - - Tomcat 6.0.12 to 6.0.29 - Remove the Manager application - Remove the sessionList.jsp and sessionDetail.jsp files - Apply the patch for 6.0.29 (see below) - Update to 6.0.30 when released No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x releases. Credit: The original issue was discovered by Adam Muntner of Gotham Digital Science. Additional issues were identified by the Tomcat security team as a result of reviewing the original issue. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html Note: The patches The Apache Tomcat Security Team Patch for 6.0.29 Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp === - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769) +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy) @@ -30,8 +30,10 @@ % String path = (String) request.getAttribute(path); Session currentSession = (Session)request.getAttribute(currentSession); HttpSession currentHttpSession = currentSession.getSession(); - - String currentSessionId = currentSession.getId(); - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString(); + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); + String submitUrl = JspHelper.escapeXml( + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + + ?path= + path); % head meta http-equiv=content-type content=text/html; charset=iso-8859-1/ @@ -45,7 +47,7 @@ titleSessions Administration: details for %= currentSessionId %/title /head body - -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1 +h1Details for Session %= currentSessionId %/h1 table style=text-align: left; border=0 tr @@ -54,7 +56,7 @@ /tr tr thGuessed Locale/th - -td%= JspHelper.guessDisplayLocaleFromSession(currentSession) %/td +td%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %/td /tr tr thGuessed User/th @@ -120,7 +122,7 @@ String attributeName = (String) attributeNamesEnumeration.nextElement(); % tr - - td align=centerform action=%= submitUrl %divinput type=hidden name=path value=%= path % /input type=hidden name=action value=removeSessionAttribute /input type=hidden name=sessionId value=%= currentSessionId % /input type=hidden name=attributeName value=%= attributeName % /input type=submit value=Remove //div/form/td + td align=centerform action=%= submitUrl %divinput type=hidden name=action value=removeSessionAttribute /input type=hidden name=sessionId value=%= currentSessionId % /input type=hidden name=attributeName value=%= JspHelper.escapeXml(attributeName) % /input type=submit value=Remove //div/form/td td%= JspHelper.escapeXml(attributeName) %/td td% Object attributeValue = currentHttpSession.getAttribute(attributeName); %span title=%= attributeValue == null ? : attributeValue.getClass().toString() %%= JspHelper.escapeXml(attributeValue) %/span/td /tr Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.4 - Not affected in default configuration. - Affected if CSRF protection is disabled - Additional XSS issues if web applications are untrusted - - Tomcat 6.0.12 to 6.0.29 - Affected in default configuration - Additional XSS issues if web applications are untrusted - - Tomcat 5.5.x - Not affected Description: The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack. Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker. A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted. Example: GET /manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list Mitigation: Users of affected versions should apply one of the following mitigations - - Tomcat 7.0.0 to 7.0.4 - Remove the Manager application - Remove the sessionList.jsp and sessionDetail.jsp files - Ensure the CSRF protection is enabled - Apply the patch 7.0.4 patch (see below) - Update to 7.0.5 when released - - Tomcat 6.0.12 to 6.0.29 - Remove the Manager application - Remove the sessionList.jsp and sessionDetail.jsp files - Apply the patch for 6.0.29 (see below) - Update to 6.0.30 when released No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x releases. Credit: The original issue was discovered by Adam Muntner of Gotham Digital Science. Additional issues were identified by the Tomcat security team as a result of reviewing the original issue. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html Note: The patches The Apache Tomcat Security Team Patch for 6.0.29 Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp === - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769) +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy) @@ -30,8 +30,10 @@ % String path = (String) request.getAttribute(path); Session currentSession = (Session)request.getAttribute(currentSession); HttpSession currentHttpSession = currentSession.getSession(); - - String currentSessionId = currentSession.getId(); - - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString(); + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); + String submitUrl = JspHelper.escapeXml( + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + + ?path= + path); % head meta http-equiv=content-type content=text/html; charset=iso-8859-1/ @@ -45,7 +47,7 @@ titleSessions Administration: details for %= currentSessionId %/title /head body - -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1 +h1Details for Session %= currentSessionId %/h1 table style=text-align: left; border=0 tr @@ -54,7 +56,7 @@ /tr tr thGuessed Locale/th - -td%= JspHelper.guessDisplayLocaleFromSession(currentSession) %/td +td%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) %/td /tr tr thGuessed User/th @@ -120,7 +122,7 @@ String attributeName = (String) attributeNamesEnumeration.nextElement(); % tr - - td align=centerform action=%= submitUrl %divinput type=hidden name=path value=%= path % /input type=hidden name=action value=removeSessionAttribute /input type=hidden name=sessionId value=%= currentSessionId % /input type=hidden name=attributeName value=%= attributeName % /input type=submit value=Remove //div/form/td + td align=centerform action=%= submitUrl %divinput type=hidden name=action value=removeSessionAttribute /input type=hidden name=sessionId value=%= currentSessionId % /input type=hidden name=attributeName value=%= JspHelper.escapeXml(attributeName) % /input type=submit value=Remove //div/form/td td%= JspHelper.escapeXml(attributeName) %/td td% Object attributeValue = currentHttpSession.getAttribute(attributeName); %span title=%= attributeValue == null ? : attributeValue.getClass().toString() %%= JspHelper.escapeXml(attributeValue) %/span/td /tr Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp