|
|
| |
| The message argument of Apache Tomact's HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument. |
| |
Credit:
The information has been provided by Mark Thomas.
The original article can be found at: http://tomcat.apache.org/security.html
|
| |
Vulnerable Systems:
* Tomcat versions 4.1.0 to 4.1.37
* Tomcat versions 5.5.0 to 5.5.26
* Tomcat versions 6.0.0 to 6.0.16
Immune Systems:
* Tomcat versions 4.1.38
* Tomcat versions 5.5.27
* Tomcat versions 6.0.18
Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev
4.1.x users should obtain the latest source from svn or apply this patch which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev
Example:
<%@page contentType="text/html"%>
<%
~ // some unicode characters, that result in CRLF being printed
~ final String CRLF = "\u010D\u010A";
~ final String payload = CRLF + CRLF + "<script type='text/javascript'>document.write('Hi, there!')</script><div style='display:none'>";
~ final String message = "Authorization is required to access " + payload;
~ response.sendError(403, message);
%>
CVE Information:
CVE-2008-1232
|
|
|
