[CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language header processing



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language
header processing

Severity:
Low (cross-site scripting)

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.0.0 to 4.0.6
Tomcat 4.1.0 to 4.1.34
Tomcat 5.0.0 to 5.0.30
Tomcat 5.5.0 to 5.5.20
Tomcat 6.0.0 to 6.0.5

Description:
Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted
malicious Flash files to make requests with such custom headers.
Tomcat now ignores invalid values for Accept-Language headers that do
not conform to RFC 2616.

Mitigation:
1. Upgrade to fixed version
2. Escape values obtained from Accept-Language header before use.

Credit:
This issue was reported by Masato Anzai and Toshiharu Sugiyama.

References:
http://tomcat.apache.org/security.html

Mark Thomas



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGdxWMb7IeiTPGAkMRAgDgAJkBG6sVBDP/8yxGrZ7CqvEXPNW1mACgiL8M
CyWgpvE5125qciTSYPJbOgU=
=A84r
-----END PGP SIGNATURE-----



Relevant Pages

  • [Full-disclosure] [CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language
    ... Tomcat 4.1.0 to 4.1.34 ... Web pages that display the Accept-Language header value sent by the ... client are susceptible to a cross-site scripting attack if they assume ...
    (Full-Disclosure)
  • Re: Unsupported major.minor version 49.0
    ... The subject header should be used to ... need to use a 1.5 JVM to run your program. ... I think I need to define <Context> elements for my webapps, I've been reading about this in the Tomcat Docs, and even though I have tried to do what it says here I get SEVERE errors when Tomcat is starting up (I mean if I define a element in either conf/Catalina/localhost/admin.xml, balancer.xml, or manager.xml (does it make a diff. ...
    (comp.lang.java.help)
  • Re: servlet filter buffer question
    ... The content-length header isn't always correct because it's sent before the ... I was just wondering if the filter chain could be interfering with the read ... and I'm too unfamiliar with the nuances of Tomcat. ...
    (comp.lang.java.programmer)
  • Re: Adding common header to all JSP pages
    ... > header and footer frames. ... > filter for text/html content, that filter would prepend header and append ... > So how can I set up such a filter in tomcat 3.2? ...
    (comp.lang.java.programmer)
  • Re: Adding common header to all JSP pages
    ... > header and footer frames. ... > filter for text/html content, that filter would prepend header and append ... > So how can I set up such a filter in tomcat 3.2? ...
    (comp.lang.java.help)