Re: Cross-site scripting vulnerability
XSS issues have been reported in: - the servlet 2.3 examples (including snoop.jsp) - the manager servlet - the servlet 2.4 examples (affects TC5 only) All of these have been fixed in CVS. Fixes for these are included in Tomcat 5.5.7 onwards. Tomcat 4.1.31 still has the following XSS issues - snoop.jsp in examples - the manager servlet The workarounds until the next 4.1 release are: - don't deploy the examples on a production server - close your browser after using the manager application or disable javascript support in your browser If your tool has identified any further XSS issues, please report them to [EMAIL PROTECTED] Mark Narses Barona wrote: Our security tool produces the following warning against Tomcat 4.1.29 : [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting exposure in clients [trace-1]. More... I seached the mailing list and found several references to cross-site scripting. Based on the information, I am lead to believe that the problem is not with the product, but with the examples or some other non-critical piece of code. I have removed the jakarta-tomcat-4.1.29/webapps/examples directory and its' content, but the problem persists. Is there some other file/directory that needs to be removed to fix this problem? I noticed one reference to a SnoopServlet, but can't find any file by that name. Narses Barona - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross-site scripting vulnerability
I notice the more... at the end of that... do you have the more by chance? Cross-site scripting (CSS) vulnerabilities are, generally-speaking, concerned with situations where a server-side process generates HTML dynamically and there is a possibility of input data that has not been scrubed of certain dangerous characters (i.e., ()%, etc.) being inserted into the generated code. Proper crafting of such input data can result in code being executed as trusted when it clearly should not be. (As amazing as it seems, I found the following page from Microsoft, of all sources!, to be a good explanation of the problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;252985) As such, a tool that says a server is an enabling vector for such a vulnerability is not being especially helpful because virtually *any* server-side code that doesn't deal with such characters is potentially an enabling vector. If it narrows down the location of the apparent vulnerability, i.e., specified a path it tested maybe, it might point at something legitimately of concern. If it's just saying Hey, Tomcat could be used to craft a CSS hack, well, yes, it COULD, but then so could *anything* server-side that generates HTML! (Ironically, I spent most of today dealing with a servlet filter written by another team at my company that deals with cross-site scripting vulnerabilities, but which seems to have some unexpected side-effects, so I had to get up to speed on CSS vulnerabilities in a hurry!) Frank Narses Barona wrote: Our security tool produces the following warning against Tomcat 4.1.29 : [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting exposure in clients [trace-1]. More... I seached the mailing list and found several references to cross-site scripting. Based on the information, I am lead to believe that the problem is not with the product, but with the examples or some other non-critical piece of code. I have removed the jakarta-tomcat-4.1.29/webapps/examples directory and its' content, but the problem persists. Is there some other file/directory that needs to be removed to fix this problem? I noticed one reference to a SnoopServlet, but can't find any file by that name. Narses Barona - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] . -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross-site scripting vulnerability
Shapira, Yoav wrote: Howdy, Fixed in the latest stable releases, upgrade and test for yourself. Yoav Shapira Millennium Research Informatics -Original Message- From: Rui Lopes [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: Cross-site scripting vulnerability Hi, Running the Nikto security tool on Tomcat 4.1 produces a warning that it is vulnerable to cross-site scripting attacks. This is the URL it gives https://server IP:443/666%0a%0ascriptalert('Vulnerable');/script666.jsp I edited the the server IP above. I found a reference to this at http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0482.html but no solution was provided. Does anybody know anything more about this, especially how to fix it? I am using Tomcat 4.1.24 Thanks, I downloaded it and indeed it does work. Can anyone tell me what was done to fix it (ie. can you point me to a bug tracking number). I couldn't find one when I looked on Jakarta's bug database, but maybe I was looking in the wrong place or using the wrong search term. Rui. -- (c) Copyright 2004 Verano Inc. owns copyright content of this document and all attachments unless otherwise indicated. All rights reserved. Users of Verano Inc. software and tools associated with the software such as sales marketing collateral, presentations, user manuals, training documentation etc. may not republish nor reproduce in whole or in part the information, in any form or by any means, in any manner whatsoever without the prior written permission of Verano Inc., and any such unauthorized use constitutes copyright infringement. An acknowledgement of the source must be included whenever Verano Inc. material is copied or published. If you require further information on a permitted use or license to reproduce or republish any material, address your inquiry to Verano Inc.Suite 120, 575 West Street, Mansfield, Massachusetts, 02048-1164. Any infringement of Verano Inc. rights will result in appropriate legal action. Verano Inc. disclaims any and all liability for any consequences which may result from any unauthorized reproduction or use of this Work whatsoever. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Cross-site scripting vulnerability
Howdy, Fixed in the latest stable releases, upgrade and test for yourself. Yoav Shapira Millennium Research Informatics -Original Message- From: Rui Lopes [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: Cross-site scripting vulnerability Hi, Running the Nikto security tool on Tomcat 4.1 produces a warning that it is vulnerable to cross-site scripting attacks. This is the URL it gives https://server IP:443/666%0a%0ascriptalert('Vulnerable');/script666.jsp I edited the the server IP above. I found a reference to this at http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0482.html but no solution was provided. Does anybody know anything more about this, especially how to fix it? I am using Tomcat 4.1.24 Rui. -- (c) Copyright 2004 Verano Inc. owns copyright content of this document and all attachments unless otherwise indicated. All rights reserved. Users of Verano Inc. software and tools associated with the software such as sales marketing collateral, presentations, user manuals, training documentation etc. may not republish nor reproduce in whole or in part the information, in any form or by any means, in any manner whatsoever without the prior written permission of Verano Inc., and any such unauthorized use constitutes copyright infringement. An acknowledgement of the source must be included whenever Verano Inc. material is copied or published. If you require further information on a permitted use or license to reproduce or republish any material, address your inquiry to Verano Inc.Suite 120, 575 West Street, Mansfield, Massachusetts, 02048-1164. Any infringement of Verano Inc. rights will result in appropriate legal action. Verano Inc. disclaims any and all liability for any consequences which may result from any unauthorized reproduction or use of this Work whatsoever. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]