Apache Tomcat 'jsp/cal/cal2.jsp'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183453 漏洞类型 跨站脚本
发布时间 2009-03-09 更新时间 2009-03-09
CVE编号 CVE-2009-0781 CNNVD-ID CNNVD-200903-175
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/80647
https://cxsecurity.com/issue/WLB-2009030162
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-175
|漏洞详情
ApacheTomcat是应用(java)服务器,它只是一个servlet(jsp也翻译成servlet)容器,可以认为是apache的扩展,但是可以独立于apache运行。ApacheTomcat4.1.0版本至4.1.39版本,5.5.0版本至5.5.27版本,以及6.0.0版本至6.0.18版本的样板网络应用程序的日历应用程序中的jsp/cal/cal2.jsp存在跨站脚本攻击漏洞。远程攻击者可以借助与"无效HTML"相关的时间参数,注入任意web脚本或HTML。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0781: Apache Tomcat cross-site scripting vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39

Description:
The calendar application in the examples contains invalid HTML which
renders the XSS protection for the time parameter ineffective. An
attacker can therefore perform an XSS attack using the time attribute.

Mitigation:
6.0.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750924&view=rev
 - upgrade to 6.0.19 when released
5.5.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750928&view=rev
 - upgrade to 5.5.28 when released
4.1.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750927&view=rev
 - upgrade to 4.1.40 when released

Example:
http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/*
*/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')});

Credit:
This issue was discovered by Deniz Cevik.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html

The Apache Tomcat Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJsUexb7IeiTPGAkMRAnQkAKDSvIKgXQTCEOdYo0T1Ms0ze07qWQCgh2Af
7M0rD3B+d5vu90/ode27FLI=
=Y8kB
-----END PGP SIGNATURE-----
|受影响的产品
Apache Tomcat 6.0.16 Apache Tomcat 6.0.15 Apache Tomcat 6.0.14 Apache Tomcat 6.0.13 Apache Tomcat 6.0.12 Apache Tomcat 6.0.11 Apache Tomcat 6.0.10
|参考资料

来源:XF
名称:tomcat-cal2-xss(49213)
链接:http://xforce.iss.net/xforce/xfdb/49213
来源:VUPEN
名称:ADV-2009-1856
链接:http://www.vupen.com/english/advisories/2009/1856
来源:BUGTRAQ
名称:20090306[SECURITY]CVE-2009-0781XSSinApacheTomcatexampleswebapplication
链接:http://www.securityfocus.com/archive/1/archive/1/501538/100/0/threaded
来源:MANDRIVA
名称:MDVSA-2009:138
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
来源:MANDRIVA
名称:MDVSA-2009:136
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
来源:tomcat.apache.org
链接:http://tomcat.apache.org/security-6.html
来源:tomcat.apache.org
链接:http://tomcat.apache.org/security-5.html
来源:tomcat.apache.org
链接:http://tomcat.apache.org/security-4.html
来源:SUNALERT
名称:263529
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
来源:SECUNIA
名称:35788
链接:http://secunia.com/advisories/35788
来源:SECUNIA
名称:35685
链接:http://secunia.com/advisories/35685
来源:SUSE
名称:SUSE-SR:2009:012
链接:http://lists.opensuse.org/opensuse-security-announce/2009