No account yet?
Home » Exploits » Apache Tomcat Host Manager Cross Site Scripting Vulnerability
Apache Tomcat Host Manager Cross Site Scripting Vulnerability E-mail
Feeds - Exploits
Written by Petr Splichal of RedHat   
Wednesday, 11 March 2009 22:11
Apache Tomcat Host Manager Cross Site Scripting Vulnerability


-\\Bugtraq ID:
29502

-\\Class:
Input Validation Error

-\\CVE:
CVE-2008-1947


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Jun 02 2008 12:00AM

-\\Updated:
Mar 11 2009 05:46PM

-\\Credit:
Petr Splichal of RedHat



-\\Vulnerable:
WiKID Systems WiKID Server 3.0.4
VMWare VirtualCenter 2.0.2
VMWare VirtualCenter  2.5.Update 3 build 1
VMWare VirtualCenter  2.5.Update 3 build 1
VMWare VirtualCenter  2.5 Update 2
VMWare VirtualCenter  2.5 Update 1
VMWare VirtualCenter  2.5
VMWare ESX Server 3.0.3
VMWare ESX Server 3.0.2
VMWare ESX Server  3.5
Sun Solaris  9_x86
Sun Solaris  9
Sun Solaris  10.0_x86
Sun Solaris  10.0
Sun OpenSolaris  build snv_99
Sun OpenSolaris  build snv_96
Sun OpenSolaris  build snv_95
Sun OpenSolaris  build snv_92
Sun OpenSolaris  build snv_91
Sun OpenSolaris  build snv_90
Sun OpenSolaris  build snv_89
Sun OpenSolaris  build snv_88
Sun OpenSolaris  build snv_87
Sun OpenSolaris  build snv_86
Sun OpenSolaris  build snv_85
Sun OpenSolaris  build snv_84
Sun OpenSolaris  build snv_83
Sun OpenSolaris  build snv_82
Sun OpenSolaris  build snv_81
Sun OpenSolaris  build snv_80
Sun OpenSolaris  build snv_78
Sun OpenSolaris  build snv_77
Sun OpenSolaris  build snv_76
Sun OpenSolaris  build snv_68
Sun OpenSolaris  build snv_67
Sun OpenSolaris  build snv_64
Sun OpenSolaris  build snv_61
Sun OpenSolaris  build snv_59
Sun OpenSolaris  build snv_57
Sun OpenSolaris  build snv_50
Sun OpenSolaris  build snv_39
Sun OpenSolaris  build snv_36
Sun OpenSolaris  build snv_29
Sun OpenSolaris  build snv_22
Sun OpenSolaris  build snv_19
Sun OpenSolaris  build snv_13
Sun OpenSolaris  build snv_100
Sun OpenSolaris  build snv_02
Sun OpenSolaris  build snv_01
S.u.S.E. SUSE Linux Enterprise Server  10 SP2
S.u.S.E. SUSE Linux Enterprise Server  10 SP1
S.u.S.E. openSUSE  11.0
S.u.S.E. openSUSE  10.3
S.u.S.E. openSUSE  10.2
RedHat Red Hat Network Satellite Server 5.0.1
RedHat Red Hat Network Satellite Server 5.0
RedHat Red Hat Network Satellite (for RHEL 4)  5.1
RedHat Fedora 9  0
RedHat Fedora 8  0
RedHat Enterprise Linux Desktop Workstation  5 client
RedHat Enterprise Linux Desktop  5 client
RedHat Enterprise Linux  5 server
RedHat Developer Suite AS4  3
RedHat Application Server WS4  2
RedHat Application Server ES4  2
RedHat Application Server AS4  2
Pardus Linux 2008  0
MandrakeSoft Linux Mandrake  2008.1 x86_64
MandrakeSoft Linux Mandrake  2008.1
MandrakeSoft Linux Mandrake  2008.0 x86_64
MandrakeSoft Linux Mandrake  2008.0
HP HP-UX  B.11.31
HP HP-UX  B.11.23
HP HP-UX  B.11.11
Debian Linux  4.0 sparc
Debian Linux  4.0 s/390
Debian Linux  4.0 powerpc
Debian Linux  4.0 mipsel
Debian Linux  4.0 mips
Debian Linux  4.0 m68k
Debian Linux  4.0 ia-64
Debian Linux  4.0 ia-32
Debian Linux  4.0 hppa
Debian Linux  4.0 arm
Debian Linux  4.0 amd64
Debian Linux  4.0 alpha
Debian Linux  4.0
Avaya Meeting Exchange - Enterprise Edition  
Avaya Meeting Exchange 5.0 .0.52
Avaya Meeting Exchange  5.0
Avaya AES 4.2.1
Avaya AES 4.0.1
Avaya AES 3.1.6
Avaya AES 3.1.5
Avaya AES 3.1.4
Avaya AES 3.1.3
Avaya AES  4.2
Avaya AES  4.1
Avaya AES  4.0
Avaya AES  3.1
Avaya AES  3.0
Apple Mac OS X Server 10.5.5
Apache Software Foundation Tomcat 6.0.16
Apache Software Foundation Tomcat 6.0.15
Apache Software Foundation Tomcat 6.0.14
Apache Software Foundation Tomcat 6.0.13
Apache Software Foundation Tomcat 6.0.12
Apache Software Foundation Tomcat 6.0.11
Apache Software Foundation Tomcat 6.0.10
Apache Software Foundation Tomcat 6.0.9
Apache Software Foundation Tomcat 6.0.8
Apache Software Foundation Tomcat 6.0.7
Apache Software Foundation Tomcat 6.0.6
Apache Software Foundation Tomcat 6.0.5
Apache Software Foundation Tomcat 6.0.4
Apache Software Foundation Tomcat 6.0.3
Apache Software Foundation Tomcat 6.0.2
Apache Software Foundation Tomcat 6.0.1
Apache Software Foundation Tomcat 6.0
Apache Software Foundation Tomcat 5.5.26
Apache Software Foundation Tomcat 5.5.25
Apache Software Foundation Tomcat 5.5.24
Apache Software Foundation Tomcat 5.5.23
Apache Software Foundation Tomcat 5.5.22
Apache Software Foundation Tomcat 5.5.21
Apache Software Foundation Tomcat 5.5.20
Apache Software Foundation Tomcat 5.5.19
Apache Software Foundation Tomcat 5.5.18
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.16
Apache Software Foundation Tomcat 5.5.15
Apache Software Foundation Tomcat 5.5.14
Apache Software Foundation Tomcat 5.5.13
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.9



-\\Not Vulnerable:
WiKID Systems WiKID Server 3.0.5
Sun OpenSolaris  build snv_101
Apache Software Foundation Tomcat 6.0.18
Apache Software Foundation Tomcat 5.5.27
Apache Software Foundation Tomcat 4.1.39



-\\Discussion
Apache Tomcat is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.  The issue affects the Host Manager web application.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

The issue affects the following versions:

Tomcat 5.5.9 through 5.5.26
Tomcat 6.0.0 through 6.0.16



-\\Exploit(s)/PoC(s):
Attackers can use a browser to exploit this issue.

The following proof of concept is available:

<form action="http://localhost:8080/host-manager/html/add" method="get">
<INPUT TYPE="hidden" NAME=&#39;name&#39; VALUE="<script>alert()</script>">
<INPUT TYPE="hidden" NAME=&#39;aliases&#39; VALUE="somealias">
<input type="submit">
</form>



-\\Solution
Vendor updates are available. Contact the vendor for details.


MandrakeSoft Linux Mandrake  2008.0
--Mandriva  tomcat5-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

HP HP-UX  B.11.23
--HP  HPUXWSATW-B222-1123-32.depot
PA-32
http://software.hp.cohttp://software.hp.com
--HP  HPUXWSATW-B222-1123-64.depot
IA-64
http://software.hp.cohttp://software.hp.com
--HP  HPUXWSATW-B302-32.depot
IA-64
http://software.hp.cohttp://software.hp.com

MandrakeSoft Linux Mandrake  2008.0 x86_64
--Mandriva  tomcat5-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

Apple Mac OS X Server 10.5.5
--Apple  SecUpdSrvr2008-007.dmg
http://www.apple.com/support/downloads/securityupdate2008007serverleopard.htmhttp://www.apple.com/support/downloads/securityupdate2008007serverleopard.html



-\\Reference(s)
--Apache Tomcat 4.x vulnerabilities
http://tomcat.apache.org/security-4.htm  (Apache)
--Apache Tomcat 5.x vulnerabilities
http://tomcat.apache.org/security-5.htm  (Apache)
--Apache Tomcat 6.x vulnerabilities
http://tomcat.apache.org/security-6.htm  (Apache)
--Apache Tomcat Homepage
http://tomcat.apache.org  (Apache)
--Release Name: 3.0.5
https://sourceforge.net/project/shownotes.php?release_id=626903&group_id=14477  (WiKID Systems)
--Solution  251986 :   Security Vulnerabilities in Tomcat 5.5 may Lead to Cross S
http://sunsolve.sun.com/search/document.do?assetkey=1-66-251986-  (Sun Microsystem)
--[SECURITY] CVE-2008-1947: Tomcat host-manager XSS vulnerability
http://www.securityfocus.com/archive/1/49295  (Mark Thomas < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
--ASA-2008-401 - tomcat security update (RHSA-2008-0862)
http://support.avaya.com/elmodocs2/security/ASA-2008-401.ht  (Avaya)
--CVE-2008-1947: Tomcat host-manager XSS vulnerability
msg://bugtraq/ This e-mail address is being protected from spambots. You need JavaScript enabled to view it   (Mark Thomas)
--RHSA-2008:0648-10 tomcat security update
http://rhn.redhat.com/errata/RHSA-2008-0648.htm  (Red Hat)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff