[VulnWatch] wp-02-0008: Apache Tomcat Cross Site Scripting

From: Matt Moore (matt@westpoint.ltd.uk)
Date: 07/10/02 

Date: Wed, 10 Jul 2002 12:09:18 +0100
From: Matt Moore <matt@westpoint.ltd.uk>
To: vulnwatch@vulnwatch.org

Westpoint Security Advisory

Title: Apache Tomcat Cross Site Scripting
Risk Rating: Low
Software: Apache Tomcat v4.0.3
Platforms: WinNT, Win2k, Linux
Vendor URL: jakarta.apache.org
Author: Matt Moore <matt@westpoint.ltd.uk>
Date: 10th July 2002
Advisory ID#: wp-02-0008

Overview:
=========
Apache Tomcat is the servlet container that is used in the official
Reference
Implementation for the Java Servlet and JavaServer Pages technologies.

Tomcat has a couple of Cross Site Scripting vulnerabilities.

Details:
========

Cross Site Scripting
--------------------

By using the /servlet/ mapping to invoke various servlets / classes it is
possible to cause Tomcat to throw an exception, allowing XSS attacks:

tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/SCRIPTalert(document.domain)/SCRIPT

tomcat-server/servlet/org.apache.catalina.ContainerServlet/SCRIPTalert(document.domain)/SCRIPT

tomcat-server/servlet/org.apache.catalina.Context/SCRIPTalert(document.domain)/SCRIPT

tomcat-server/servlet/org.apache.catalina.Globals/SCRIPTalert(document.domain)/SCRIPT

Linux and Win32 versions of Tomcat are vulnerable.

(angle brackets omitted)

The DOS device name physical path disclosure bug reported recently by
Peter Grundl
can also be used to perform XSS attacks, e.g:

tomcat-server/COM2.IMG%20src= "Javascript:alert(document.domain)"

This is obviously Win32 specific.

Vendor Response:
================
None.

Patch Information:
==================

Upgrading to v4.1.3 beta resolves the DOS device name XSS issue.

The workaround for the other XSS issues described above is as follows:

The "invoker" servlet (mapped to /servlet/), which executes anonymous
servlet
classes that have not been defined in a web.xml file should be unmapped.

The entry for this can be found in the /tomcat-install-dir/conf/web.xml
file.

Two Nessus plugins should be available to test for these vulnerabilities
from
www.nessus.org:

apache_tomcat_DOS_Device_XSS.nasl
apache_tomcat_Servlet_XSS.nasl

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt

Relevant Pages

  • wp-02-0008: Apache Tomcat Cross Site Scripting
    ... Westpoint Security Advisory ... Implementation for the Java Servlet and JavaServer Pages technologies. ... Tomcat has a couple of Cross Site Scripting vulnerabilities. ... possible to cause Tomcat to throw an exception, allowing XSS attacks: ...
    (Bugtraq)
  • Re: Tomcat + java.io.FileNotFoundException
    ... Application Server executes servlet and JSP in their own context (both ... > experience configuring tomcat. ... > 1- the File class uses paths relative to the working directory. ... However, classA is ...
    (comp.lang.java.programmer)
  • Re: A2LL ist tot...
    ... | mit Tomcat als Servlet Container. ... | # Bugs - You think you have a bug or there is a difference in behavior with another servlet container. ... | # Database - Getting tomcat to talk to a database. ...
    (de.talk.tagesgeschehen)
  • Re: tomcat error..
    ... Remember that Tomcat doesn't execute JSPs, so it has no way of knowing where in "YOUR FILE" the error is. ... The IDE itself tracks how the code transmutes from source to translated source to object to run-time. ... Use java.util.logging or log4j, and think about the hapless operations folk when you design logging. ... well, the weird thing is, sometimes it shows in what line in JSP servlet the error is, I find my way to the servlet and find line causing error, which is quite useful, but sometimes it doesn't tell you anything, like ...
    (comp.lang.java.help)
  • Re: cant find a class...
    ... > Tony Morris wrote: ... > tomcat I don't need to set CLASSPATH? ... When your servlet executes using Tomcat, ... for jar files required by the servlet you've developed. ...
    (comp.lang.java.help)