Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2022 Tenable Network Security, Inc.TOMCAT_SNOOP_URI_XSS.NASL
HistoryJun 18, 2007 - 12:00 a.m.

Apache Tomcat snoop.jsp URI XSS

2007-06-1800:00:00
This script is Copyright (C) 2007-2022 Tenable Network Security, Inc.
www.tenable.com
2503
JSON

The remote Apache Tomcat web server includes an example JSP application, ‘snoop.jsp’, that fails to sanitize user-supplied input before using it to generate dynamic content. An unauthenticated, remote attacker can exploit this issue to inject arbitrary HTML or script code into a user’s browser to be executed within the security context of the affected site.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(25525);
  script_version("1.30");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2007-2449");
  script_bugtraq_id(24476);

  script_name(english:"Apache Tomcat snoop.jsp URI XSS");

  script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat web server contains a JSP application that is
affected by a cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Apache Tomcat web server includes an example JSP
application, 'snoop.jsp', that fails to sanitize user-supplied input
before using it to generate dynamic content. An unauthenticated,
remote attacker can exploit this issue to inject arbitrary HTML or
script code into a user's browser to be executed within the security
context of the affected site.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2007/Jun/182");
  script_set_attribute(attribute:"solution", value:
"Undeploy the Tomcat examples web application.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2007-2022 Tenable Network Security, Inc.");

  script_dependencies("tomcat_error_version.nasl", "cross_site_scripting.nasl");
  script_require_keys("installed_sw/Apache Tomcat");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("audit.inc");
include("install_func.inc");

get_install_count(app_name:"Apache Tomcat", exit_if_zero:TRUE);
port = get_http_port(default:8080);
install = get_single_install(app_name:"Apache Tomcat", port:port);

get_kb_item_or_exit("www/"+port+"/generic_xss");

# Send a request to exploit the flaw.
xss = raw_string("<script>alert('", SCRIPT_NAME, "')</script>");
exploit = string(";", xss, "test.jsp");
foreach dir (make_list("/examples/jsp", "/jsp-examples"))
{
  if ("/examples/jsp" == dir)
  {
    w = http_send_recv3(
      method:"GET", 
      item:string(dir, "/snp/snoop.jsp"), 
      port:port, 
      add_headers: make_array("Host", xss),
      exit_on_fail:TRUE
    );
  }
  else
  {
    w = http_send_recv3(
      method: "GET", 
      item:string(dir, "/snp/snoop.jsp", exploit), 
      port:port, 
      exit_on_fail:TRUE
    );
  }
  res = w[2];

  # There's a problem if our exploit appears in the request URI.
  if (
    ("/examples/jsp" == dir && string("Server name: ", xss) >< res) ||
    (string("Request URI: /jsp-examples/snp/snoop.jsp", exploit) >< res)
  ) 
  {
    if (report_verbosity > 0)
    {
      report = 
       '\n' + 'Nessus was able to exploit the issue using the following HTTP request :' +
       '\n' +
       '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + 
       '\n' + chomp(http_last_sent_request()) +
       '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
  }
}
audit(AUDIT_LISTEN_NOT_VULN, "Apache Tomcat", port, install["version"]);
VendorProductVersionCPE
apachetomcatcpe:/a:apache:tomcat

Related

osv 1
packetstorm 1
prion 1
veracode 1
securityvulns 3
github 1
ubuntucve 1
jvn 1
cve 1
nessus 23
openvas 23
redhat 5
oraclelinux 1
centos 1
tomcat 3
fedora 5
altlinux 1
ibm 1
osv
osv
Apache Tomcat XSS Vulnerabilities in Examples Web Application
2022-05-01 18:03:36
packetstorm
packetstorm
CVE-2007-2449.txt
2007-06-15 00:00:00
prion
prion
Cross site scripting
2007-06-14 23:30:00
veracode
veracode
Cross-Site Scripting (XSS)
2020-04-10 00:19:32
securityvulns
securityvulns
[Full-disclosure] [CVE-2007-2449] Apache Tomcat XSS vulnerabilities in the JSP examples
2007-06-14 00:00:00
Apache Tomcat crossite scripting
2007-06-14 00:00:00
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities &#40;Updated - v1.1&#41;
2009-01-28 00:00:00
github
github
Apache Tomcat XSS Vulnerabilities in Examples Web Application
2022-05-01 18:03:36
ubuntucve
ubuntucve
CVE-2007-2449
2007-06-14 00:00:00
jvn
jvn
JVN#64851600 Apache Tomcat sample web application cross-site scripting vulnerability
2007-06-15 00:00:00
cve
cve
CVE-2007-2449
2007-06-14 23:30:00
nessus
nessus
SuSE9 Security Update : Tomcat (YOU Patch Number 12116)
2009-09-24 00:00:00
Oracle Linux 5 : tomcat (ELSA-2007-0569)
2013-07-12 00:00:00
RHEL 5 : tomcat (RHSA-2007:0569)
2007-07-18 00:00:00
openvas
openvas
SLES9: Security update for Tomcat
2009-10-10 00:00:00
SLES10: Security update for Tomcat 5
2009-10-13 00:00:00
SLES9: Security update for Tomcat
2009-10-10 00:00:00
redhat
redhat
(RHSA-2007:0569) Moderate: tomcat security update
2007-07-17 00:00:00
(RHSA-2007:0876) Moderate: tomcat security update
2007-10-11 00:00:00
(RHSA-2008:0630) Low: Red Hat Network Satellite Server security update
2008-08-13 00:00:00
oraclelinux
oraclelinux
Moderate: tomcat security update
2007-07-17 00:00:00
centos
centos
tomcat5 security update
2007-07-22 15:57:46
tomcat
tomcat
Fixed in Apache Tomcat 6.0.14
2007-08-13 00:00:00
Fixed in Apache Tomcat 5.5.25, 5.0.SVN
2007-09-08 00:00:00
Fixed in Apache Tomcat 4.1.37
2005-10-06 00:00:00
fedora
fedora
[SECURITY] Fedora 8 Update: tomcat5-5.5.25-1jpp.1.fc8
2007-11-17 05:37:36
[SECURITY] Fedora 7 Update: tomcat5-5.5.25-1jpp.1.fc7
2007-11-17 05:34:43
[SECURITY] Fedora 7 Update: tomcat5-5.5.26-1jpp.2.fc7
2008-02-13 04:55:03
altlinux
altlinux
Security fix for the ALT Linux 5 package tomcat5 version 0:5.5.25-alt1_1.1jpp5.0
2007-11-30 00:00:00
ibm
ibm
Security Bulletin: TADDM affected by multiple vulnerabilities due to Apache Tomcat libraries
2023-01-27 10:54:22
JSON
Related for TOMCAT_SNOOP_URI_XSS.NASL
osv1packetstorm1prion1veracode1securityvulns3github1ubuntucve1jvn1cve1nessus23openvas23redhat5oraclelinux1centos1tomcat3fedora5altlinux1ibm1