Re: Fwd: XSS in Jakarta Tomcat 5.5.6

Mon, 03 Jan 2005 08:14:23 -0800

Remy Maucherat wrote: 
Erik Abele wrote:

not acked, just fwd'ing... 


The issues mentioned in this email are very minor so -> tomcat-dev.

Begin forwarded message:

From: "Oliver Karow" <[EMAIL PROTECTED]>
Date: 3. Januar 2005 12:29:12 MEZ
To: [EMAIL PROTECTED]
Subject: XSS in Jakarta Tomcat 5.5.6

Hello and a happy new year,

during coding a little webapp-security-scanner, i found cross-site-scripting
vulnerabilities in
Apache Tomcat/5.5.6 (JVM Version: 1.5.0_01-b08 (Sun microsystems),running on
Windows 2000)

First one needs
authentication:

http://192.168.0.23:8080/manager/html/<script>alert("Hallo")</script>
http://192.168.0.23:8080/manager/html/stop? path=<script>alert("Hallo")</script>
http://192.168.0.23:8080/manager/html/start? path=<script>alert("Hallo")</script>


This is a non issue, so I'd say we won't fix that. It's always possible that someone would fix it though, if they care ;)

I'll look at this for the same reason I looked at the XSS issues in the examples - not that it is a real security issue but to stop us having to periodically explain to people that don't understand security why this is a total non-issue.


Second one works without authentication, but should not be that easy to
exploit:

Telnet to port 8080 and paste the following:

<script>alert("Hallo")</script> /jsp-examples/snp/snoop.jsp HTTP/1.0


We have decided to fix XSS in the examples web applications (which should obviously be removed from production servers), so I assume we will fix this.

I posted the patches to fix examples to the committers list a little while ago (I can't patch it myself as fixing the examples requires jakarta-servletapi-5 karma). I'll dig out the patch and post it here.


Because i'm not very familiar with Tomcat, i want to ask you, to verify the
existence of this
bug. I looked at securityfocus.com to verify the existence of this bug, but
could not find anything regarding
this version of Tomcat.

If you have any questions, feel free to contact me!

Best regards, 


Rémy

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to