DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17685>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17685 Cross site scripting issues in most of the example webapps. Summary: Cross site scripting issues in most of the example webapps. Product: Tomcat 4 Version: 4.0 Beta 1 Platform: All OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Webapps:Examples AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] While doing an audit of Sun one application server I noticed they provided a few example web applications which actually where written by apache. I found that the following scripts suffer from cross site scripting attacks. Below is a list of the script and attack string. (Note: these paths are related to the Sun one application server 7 install path. Apache paths may vary) Anything that says "in form input fields" instead of "Exploit" is required to have a POST request made. Anything that says "<XSS-HERE>" means this is the portion in the url an attacker could inject malicious content. (Note: More information below attack strings) A. SessionExample Servlet (Exploit: http://127.0.0.1/webapps-simple/servlet/SessionExample?dataname=<XSS-HERE>&datavalue=<XSS-HERE>) B. CookieExample Servlet XSS in form input fields. (Script: http://127.0.0.1/webapps-simple/servlet/CookieExample) (SRC: http://127.0.0.1/webapps-simple/servlets/cookies.html) C. RequestParamExample Servlet XSS in form input fields. (Script: http://127.0.0.1/webapps-simple/servlet/RequestParamExample) (SRC: http://127.0.0.1/webapps-simple/servlets/reqparams.html) D. RequestHeaderExample Servlet Referer header XSS. (Script: http://127.0.0.1/webapps-simple/servlet/RequestHeaderExample) (SRC: http://127.0.0.1/webapps-simple/servlets/reqheaders.html) E. Snoop.jsp User-Agent based cross site scripting flaw. (Script: http://127.0.0.1/webapps-simple/jsp/snp/snoop.jsp) (SRC: http://127.0.0.1/webapps-simple/jsp/snp/snoop.txt) F. carts.jsp Form tampering allows XSS (Form: http://127.0.0.1/webapps-simple/jsp/sessions/carts.html) (SRC: http://127.0.0.1/webapps-simple/jsp/sessions/carts.txt) (Script: http://127.0.0.1/webapps-simple/jsp/sessions/carts.jsp) (Exploit: http://127.0.0.1/webapps-simple/jsp/sessions/carts.jsp?item=<XSS-HERE>&submit=add) G. checkresult.jsp (FORM: http://127.0.0.1/webapps-simple/jsp/checkbox/check.html) (src: http://127.0.0.1/webapps-simple/jsp/checkbox/checkresult.txt) (Exploit: http://127.0.0.1/webapps-simple/jsp/checkbox/checkresult.jsp?fruit=<XSS-HERE>&fruit=<XSS-HERE>&submit=Submit H. cal1.jsp and cal2.jsp XSS in login form (Form: http://127.0.0.1/webapps-simple/jsp/cal/login.html) (Script: http://127.0.0.1/webapps-simple/jsp/cal/cal1.jsp) (SRC: http://127.0.0.1/webapps-simple/jsp/cal/cal1.txt) XSS in time/appointment portion (Script: http://127.0.0.1/webapps-simple/jsp/cal/cal2.jsp) (SRC: http://127.0.0.1/webapps-simple/jsp/cal/cal2.txt) (Exploit: http://127.0.0.1/webapps-simple/jsp/cal/cal2.jsp?time=<XSS-HERE>) While looking in your cvs tree I noticed many of these files have not been updated in awhile which means that they may be vulnerable. I did notice one of the scripts listed above "cal1.jsp" was recently patched against a few cross site scripting issues at "http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-4.0/webapps/examples/jsp/cal/cal1.jsp"; I agree with the statement "Obviously, the examples webapp should be removed before putting Tomcat in production anyway.", but sometimes people don't use common sense, and for this reason I have filled out this bug report. I am not aware of which versions of tomcat come included with these issues since I have not done any type of tomcat audit. If you have any questions please drop me an email. - Robert SPILABS --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
