From matt@westpoint.ltd.uk Wed Jul 17 17:23:58 2002 From: Matt Moore To: vulnwatch@vulnwatch.org Date: Wed, 10 Jul 2002 12:09:18 +0100 Subject: [VulnWatch] wp-02-0008: Apache Tomcat Cross Site Scripting Westpoint Security Advisory Title: Apache Tomcat Cross Site Scripting Risk Rating: Low Software: Apache Tomcat v4.0.3 Platforms: WinNT, Win2k, Linux Vendor URL: jakarta.apache.org Author: Matt Moore Date: 10th July 2002 Advisory ID#: wp-02-0008 Overview: ========= Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat has a couple of Cross Site Scripting vulnerabilities. Details: ======== Cross Site Scripting -------------------- By using the /servlet/ mapping to invoke various servlets / classes it is possible to cause Tomcat to throw an exception, allowing XSS attacks: tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.ContainerServlet/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.Context/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.Globals/SCRIPTalert(document.domain)/SCRIPT Linux and Win32 versions of Tomcat are vulnerable. (angle brackets omitted) The DOS device name physical path disclosure bug reported recently by Peter Grundl can also be used to perform XSS attacks, e.g: tomcat-server/COM2.IMG%20src= "Javascript:alert(document.domain)" This is obviously Win32 specific. Vendor Response: ================ None. Patch Information: ================== Upgrading to v4.1.3 beta resolves the DOS device name XSS issue. The workaround for the other XSS issues described above is as follows: The "invoker" servlet (mapped to /servlet/), which executes anonymous servlet classes that have not been defined in a web.xml file should be unmapped. The entry for this can be found in the /tomcat-install-dir/conf/web.xml file. Two Nessus plugins should be available to test for these vulnerabilities from www.nessus.org: apache_tomcat_DOS_Device_XSS.nasl apache_tomcat_Servlet_XSS.nasl This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt