Re: Cross-site scripting vulnerability
XSS issues have been reported in: - the servlet 2.3 examples (including snoop.jsp) - the manager servlet - the servlet 2.4 examples (affects TC5 only) All of these have been fixed in CVS. Fixes for these are included in Tomcat 5.5.7 onwards. Tomcat 4.1.31 still has the following XSS issues - snoop.jsp in examples - the manager servlet The workarounds until the next 4.1 release are: - don't deploy the examples on a production server - close your browser after using the manager application or disable javascript support in your browser If your tool has identified any further XSS issues, please report them to [EMAIL PROTECTED] Mark Narses Barona wrote: Our security tool produces the following warning against Tomcat 4.1.29 : [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting exposure in clients [trace-1]. More... I seached the mailing list and found several references to cross-site scripting. Based on the information, I am lead to believe that the problem is not with the product, but with the examples or some other non-critical piece of code. I have removed the jakarta-tomcat-4.1.29/webapps/examples directory and its' content, but the problem persists. Is there some other file/directory that needs to be removed to fix this problem? I noticed one reference to a SnoopServlet, but can't find any file by that name. Narses Barona - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cross-site scripting vulnerability
Our security tool produces the following warning against Tomcat 4.1.29 : [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting exposure in clients [trace-1]. More... I seached the mailing list and found several references to cross-site scripting. Based on the information, I am lead to believe that the problem is not with the product, but with the examples or some other non-critical piece of code. I have removed the jakarta-tomcat-4.1.29/webapps/examples directory and its' content, but the problem persists. Is there some other file/directory that needs to be removed to fix this problem? I noticed one reference to a SnoopServlet, but can't find any file by that name. Narses Barona - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross-site scripting vulnerability
I notice the more... at the end of that... do you have the more by chance? Cross-site scripting (CSS) vulnerabilities are, generally-speaking, concerned with situations where a server-side process generates HTML dynamically and there is a possibility of input data that has not been scrubed of certain dangerous characters (i.e., ()%, etc.) being inserted into the generated code. Proper crafting of such input data can result in code being executed as trusted when it clearly should not be. (As amazing as it seems, I found the following page from Microsoft, of all sources!, to be a good explanation of the problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;252985) As such, a tool that says a server is an enabling vector for such a vulnerability is not being especially helpful because virtually *any* server-side code that doesn't deal with such characters is potentially an enabling vector. If it narrows down the location of the apparent vulnerability, i.e., specified a path it tested maybe, it might point at something legitimately of concern. If it's just saying Hey, Tomcat could be used to craft a CSS hack, well, yes, it COULD, but then so could *anything* server-side that generates HTML! (Ironically, I spent most of today dealing with a servlet filter written by another team at my company that deals with cross-site scripting vulnerabilities, but which seems to have some unexpected side-effects, so I had to get up to speed on CSS vulnerabilities in a hurry!) Frank Narses Barona wrote: Our security tool produces the following warning against Tomcat 4.1.29 : [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting exposure in clients [trace-1]. More... I seached the mailing list and found several references to cross-site scripting. Based on the information, I am lead to believe that the problem is not with the product, but with the examples or some other non-critical piece of code. I have removed the jakarta-tomcat-4.1.29/webapps/examples directory and its' content, but the problem persists. Is there some other file/directory that needs to be removed to fix this problem? I noticed one reference to a SnoopServlet, but can't find any file by that name. Narses Barona - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] . -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross-site scripting vulnerability
Shapira, Yoav wrote: Howdy, Fixed in the latest stable releases, upgrade and test for yourself. Yoav Shapira Millennium Research Informatics -Original Message- From: Rui Lopes [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: Cross-site scripting vulnerability Hi, Running the Nikto security tool on Tomcat 4.1 produces a warning that it is vulnerable to cross-site scripting attacks. This is the URL it gives https://server IP:443/666%0a%0ascriptalert('Vulnerable');/script666.jsp I edited the the server IP above. I found a reference to this at http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0482.html but no solution was provided. Does anybody know anything more about this, especially how to fix it? I am using Tomcat 4.1.24 Thanks, I downloaded it and indeed it does work. Can anyone tell me what was done to fix it (ie. can you point me to a bug tracking number). I couldn't find one when I looked on Jakarta's bug database, but maybe I was looking in the wrong place or using the wrong search term. Rui. -- (c) Copyright 2004 Verano Inc. owns copyright content of this document and all attachments unless otherwise indicated. All rights reserved. Users of Verano Inc. software and tools associated with the software such as sales marketing collateral, presentations, user manuals, training documentation etc. may not republish nor reproduce in whole or in part the information, in any form or by any means, in any manner whatsoever without the prior written permission of Verano Inc., and any such unauthorized use constitutes copyright infringement. An acknowledgement of the source must be included whenever Verano Inc. material is copied or published. If you require further information on a permitted use or license to reproduce or republish any material, address your inquiry to Verano Inc.Suite 120, 575 West Street, Mansfield, Massachusetts, 02048-1164. Any infringement of Verano Inc. rights will result in appropriate legal action. Verano Inc. disclaims any and all liability for any consequences which may result from any unauthorized reproduction or use of this Work whatsoever. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cross-site scripting vulnerability
Hi, Running the Nikto security tool on Tomcat 4.1 produces a warning that it is vulnerable to cross-site scripting attacks. This is the URL it gives https://server IP:443/666%0a%0ascriptalert('Vulnerable');/script666.jsp I edited the the server IP above. I found a reference to this at http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0482.html but no solution was provided. Does anybody know anything more about this, especially how to fix it? I am using Tomcat 4.1.24 Rui. -- (c) Copyright 2004 Verano Inc. owns copyright content of this document and all attachments unless otherwise indicated. All rights reserved. Users of Verano Inc. software and tools associated with the software such as sales marketing collateral, presentations, user manuals, training documentation etc. may not republish nor reproduce in whole or in part the information, in any form or by any means, in any manner whatsoever without the prior written permission of Verano Inc., and any such unauthorized use constitutes copyright infringement. An acknowledgement of the source must be included whenever Verano Inc. material is copied or published. If you require further information on a permitted use or license to reproduce or republish any material, address your inquiry to Verano Inc.Suite 120, 575 West Street, Mansfield, Massachusetts, 02048-1164. Any infringement of Verano Inc. rights will result in appropriate legal action. Verano Inc. disclaims any and all liability for any consequences which may result from any unauthorized reproduction or use of this Work whatsoever. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Cross-site scripting vulnerability
Howdy, Fixed in the latest stable releases, upgrade and test for yourself. Yoav Shapira Millennium Research Informatics -Original Message- From: Rui Lopes [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: Cross-site scripting vulnerability Hi, Running the Nikto security tool on Tomcat 4.1 produces a warning that it is vulnerable to cross-site scripting attacks. This is the URL it gives https://server IP:443/666%0a%0ascriptalert('Vulnerable');/script666.jsp I edited the the server IP above. I found a reference to this at http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0482.html but no solution was provided. Does anybody know anything more about this, especially how to fix it? I am using Tomcat 4.1.24 Rui. -- (c) Copyright 2004 Verano Inc. owns copyright content of this document and all attachments unless otherwise indicated. All rights reserved. Users of Verano Inc. software and tools associated with the software such as sales marketing collateral, presentations, user manuals, training documentation etc. may not republish nor reproduce in whole or in part the information, in any form or by any means, in any manner whatsoever without the prior written permission of Verano Inc., and any such unauthorized use constitutes copyright infringement. An acknowledgement of the source must be included whenever Verano Inc. material is copied or published. If you require further information on a permitted use or license to reproduce or republish any material, address your inquiry to Verano Inc.Suite 120, 575 West Street, Mansfield, Massachusetts, 02048-1164. Any infringement of Verano Inc. rights will result in appropriate legal action. Verano Inc. disclaims any and all liability for any consequences which may result from any unauthorized reproduction or use of this Work whatsoever. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[SECURITY] Cross site scripting vulnerability revealed in 'examples' webapp of Apache Tomcat
Cross Site scripting security vulnerabilities exist in the 'examples' web application which is distributed along with Apache Tomcat. This affects all released versions of Tomcat, including 3.x and 4.x. No other components of Tomcat are currently known to be vulnerable to cross site scripting. To address this security issue, administrators of public servers which have deployed Apache Tomcat should make sure the 'examples' webapp is removed from the deployed Tomcat installation. The 'examples' webapp will be modified in future Apache Tomcat releases to prevent cross site scripting. Background information on cross site scripting: This allows a mailicious website to execute JavaScript code using the security policy of a trusted domain. More information: http://httpd.apache.org/info/css-security/ Remy and Larry -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Cross-Site Scripting Vulnerability
Hi all this has probably been discussed long ago, but I couldn't find any hints. Is this fixed in tomcat 3.2.2? thanks a lot gruss stefan Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability = Affected products: = Tomcat 3.2.1, 3.2.2-beta, 4.0-beta http://jakarta.apache.org/tomcat/ JRun 3.0 http://www.allaire.com/products/jrun/index.cfm WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional http://www-4.ibm.com/software/webservers/ Resin http://www.caucho.com/products/resin/ Not affected: Unknown Problem: === Accessing the following URLs, the JavaScript code will be executed in the browser on the server's domain. Tomcat 3.2.1: http://Tomcat/jsp-mapped-dir/SCRIPTalert(document.cookie)/SCRIPT.jsp JRun 3.0: http://JRun/SCRIPTalert(document.cookie)/SCRIPT.shtml http://JRun/SCRIPTalert(document.cookie)/SCRIPT.jsp http://JRun/SCRIPTalert(document.cookie)/SCRIPT.thtml WebSphere 3.5 FP2: http://WebSphere/webapp/examples/SCRIPTalert(document.cookie)/SCRIPT WebSphere 3.02: http://WebSphere/SCRIPTalert(document.cookie)/SCRIPT.jsp VisualAge for Java 3.5 Professional: http://VisualAge-WebSphere-Test-Environment/SCRIPTalert(document.cookie)/SCRIPT Resin 1.2.2: http://Reisin/SCRIPTalert(document.cookie)/SCRIPT.jsp http://www.caucho.com/SCRIPTdocument.write(document.cookie)/SCRIPT.jsp These pages produce output like this: = Error 404 An error has occurred while processing request: http://WebSphere/webapp/examples/** Message: File not found: //** StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: //** at javax.servlet.ServletException.init(ServletException.java:107) at com.ibm.websphere.servlet.error.ServletErrorReport.init(ServletErrorReport.java:31) at com.ibm.servlet.engine.webapp.WebAppErrorReport.init(WebAppErrorReport.java:20) at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97) ... = **: The JavaScript code is executed here. This vulnerability is quite similar to IIS cross-site scripting vulnerabilities (MS00-060) reported by Microsoft on August 25, 2000. http://www.microsoft.com/technet/security/bulletin/ms00-060.asp Impact: == For the detail about cross-site scripting, see the following pages. http://www.cert.org/advisories/CA-2000-02.html http://www.microsoft.com/TechNet/security/crssite.asp http://www.apache.org/info/css-security/ Vendor status: = Tomcat: == Notified: 16 Mar 2001 04:32:02 +0900, [EMAIL PROTECTED] 17 Mar 2001 18:55:45 +0900, [EMAIL PROTECTED] Response: 17 Mar 2001 20:07:42 - Fix: 30 Mar 2001, Tomcat 4.0-beta-2 (maybe) 11 May 2001, Tomcat 3.2.2-beta-5 (maybe) Announcement: http://jakarta.apache.org/tomcat/news.html Sun Microsystems does not publish Tomcat vulnerabilities. http://java.sun.com/products/jsp/tomcat/ http://java.sun.com/sfaq/chronology.html JRun: Notified: 13 Mar 2001 23:11:54 +0900, [EMAIL PROTECTED] Response: 13 Mar 2001 09:43:49 -0500 14 Mar 2001 09:05:03 -0500 Fix: 28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available. Announcement: http://www.allaire.com/handlers/index.cfm?ID=21498Method=Full Macromedia Product Security Bulletin (MPSB01-06) JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability) WebSphere: = Notified: 20 Mar 2001 08:13:30 +0900, ***@us.ibm.com Response: 22 Mar 2001 09:14:01 -0500 23 Mar 2001 00:02:58 +0900 Fix: PQ47386V302x (?) http://www-4.ibm.com/software/webservers/appserv/efix.html Announcement: http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocumentViewName=TechWeb (in Japanese) Resin: = Notified: 16 Mar 2001 02:26:47 +0900, [EMAIL PROTECTED], [EMAIL PROTECTED] Response: None Fix: Unknown Announcement: Unknown http://www.caucho.com/products/resin/changes.xtp Workaround: == Customize error pages. -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://www.etl.go.jp/~takagi/