Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Apache Tomcat Cross Site Scripting

Apache Tomcat Cross Site Scripting

by Nikola Strahija on July 11th, 2002 Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat has a couple of Cross Site Scripting vulnerabilities.


Details:
========


Cross Site Scripting
--------------------


By using the /servlet/ mapping to invoke various servlets / classes it is
possible to cause Tomcat to throw an exception, allowing XSS attacks:


tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/SCRIPTalert(document.domain)/SCRIPT

tomcat-server/servlet/org.apache.catalina.ContainerServlet/SCRIPTalert(document.domain)/SCRIPT

tomcat-server/servlet/org.apache.catalina.Context/SCRIPTalert(document.domain)/SCRIPT

tomcat-server/servlet/org.apache.catalina.Globals/SCRIPTalert(document.domain)/SCRIPT


Linux and Win32 versions of Tomcat are vulnerable.


(angle brackets omitted)


The DOS device name physical path disclosure bug reported recently by Peter Grundl
can also be used to perform XSS attacks, e.g:


tomcat-server/COM2.IMG%20src= "Javascript:alert(document.domain)"


This is obviously Win32 specific.


Vendor Response:
================
None.


Patch Information:
==================


Upgrading to v4.1.3 beta resolves the DOS device name XSS issue.


The workaround for the other XSS issues described above is as follows:


The "invoker" servlet (mapped to /servlet/), which executes anonymous servlet
classes that have not been defined in a web.xml file should be unmapped.


The entry for this can be found in the /tomcat-install-dir/conf/web.xml file.


Two Nessus plugins should be available to test for these vulnerabilities from
www.nessus.org:


apache_tomcat_DOS_Device_XSS.nasl
apache_tomcat_Servlet_XSS.nasl


This advisory is available online at:


http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt






Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »