We don't use tomcat's manager application. Regards Scott
HotWax Media http://www.hotwaxmedia.com On 1/12/2010, at 9:54 PM, Jacques Le Roux wrote: > Hi, > > Sould we not update? > > Thanks > > Jacques > > From: "Mark Thomas" <ma...@apache.org> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability >> >> Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> - - Tomcat 7.0.0 to 7.0.4 >> - Not affected in default configuration. >> - Affected if CSRF protection is disabled >> - Additional XSS issues if web applications are untrusted >> - - Tomcat 6.0.12 to 6.0.29 >> - Affected in default configuration >> - Additional XSS issues if web applications are untrusted >> - - Tomcat 5.5.x >> - Not affected >> >> Description: >> The session list screen (provided by sessionList.jsp) in affected versions >> uses the orderBy and sort request parameters without applying filtering and >> therefore is vulnerable to a cross-site scripting attack. >> Users should be aware that Tomcat 6 does not use httpOnly for session >> cookies by default so this vulnerability could expose session cookies from >> the manager application to an attacker. >> A review of the Manager application by the Apache Tomcat security team >> identified additional XSS vulnerabilities if the web applications deployed >> were not trusted. >> >> Example: >> GET >> /manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list >> >> Mitigation: >> Users of affected versions should apply one of the following mitigations >> - - Tomcat 7.0.0 to 7.0.4 >> - Remove the Manager application >> - Remove the sessionList.jsp and sessionDetail.jsp files >> - Ensure the CSRF protection is enabled >> - Apply the patch 7.0.4 patch (see below) >> - Update to 7.0.5 when released >> - - Tomcat 6.0.12 to 6.0.29 >> - Remove the Manager application >> - Remove the sessionList.jsp and sessionDetail.jsp files >> - Apply the patch for 6.0.29 (see below) >> - Update to 6.0.30 when released >> >> No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x >> releases. >> >> Credit: >> The original issue was discovered by Adam Muntner of Gotham Digital Science. >> Additional issues were identified by the Tomcat security team as a result of >> reviewing the original issue. >> >> References: >> http://tomcat.apache.org/security.html >> http://tomcat.apache.org/security-7.html >> http://tomcat.apache.org/security-6.html >> >> Note: The patches >> The Apache Tomcat Security Team >> >> >> **************** >> Patch for 6.0.29 >> **************** >> >> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp >> =================================================================== >> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769) >> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy) >> @@ -30,8 +30,10 @@ >> <% String path = (String) request.getAttribute("path"); >> Session currentSession = (Session)request.getAttribute("currentSession"); >> HttpSession currentHttpSession = currentSession.getSession(); >> - - String currentSessionId = currentSession.getId(); >> - - String submitUrl = >> ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString(); >> + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); >> + String submitUrl = JspHelper.escapeXml( >> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + >> + "?path=" + path); >> %> >> <head> >> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/> >> @@ -45,7 +47,7 @@ >> <title>Sessions Administration: details for <%= currentSessionId %></title> >> </head> >> <body> >> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1> >> +<h1>Details for Session <%= currentSessionId %></h1> >> <table style="text-align: left;" border="0"> >> <tr> >> @@ -54,7 +56,7 @@ >> </tr> >> <tr> >> <th>Guessed Locale</th> >> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) >> %></td> >> + <td><%= >> JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) >> %></td> >> </tr> >> <tr> >> <th>Guessed User</th> >> @@ -120,7 +122,7 @@ >> String attributeName = (String) attributeNamesEnumeration.nextElement(); >> %> >> <tr> >> - - <td align="center"><form action="<%= submitUrl %>"><div><input >> type="hidden" name="path" value="<%= path %>" /><input type="hidden" >> name="action" value="removeSessionAttribute" /><input type="hidden" >> name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" >> name="attributeName" value="<%= attributeName %>" /><input type="submit" >> value="Remove" /></div></form></td> >> + <td align="center"><form action="<%= submitUrl %>"><div><input >> type="hidden" name="action" value="removeSessionAttribute" /><input >> type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input >> type="hidden" name="attributeName" value="<%= >> JspHelper.escapeXml(attributeName) %>" /><input type="submit" value="Remove" >> /></div></form></td> >> <td><%= JspHelper.escapeXml(attributeName) %></td> >> <td><% Object attributeValue = >> currentHttpSession.getAttribute(attributeName); %><span title="<%= >> attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= >> JspHelper.escapeXml(attributeValue) %></span></td> >> </tr> >> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp >> =================================================================== >> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037769) >> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy) >> @@ -26,7 +26,9 @@ >> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> >> <% String path = (String) request.getAttribute("path"); >> - - String submitUrl = >> ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + >> path; >> + String submitUrl = JspHelper.escapeXml( >> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + >> + "?path=" + path); >> Collection activeSessions = (Collection) >> request.getAttribute("activeSessions"); >> %> >> <head> >> @@ -38,10 +40,10 @@ >> <meta name="author" content="Cedrik LIME"/> >> <meta name="copyright" content="copyright 2005-2010 the Apache Software >> Foundation"/> >> <meta name="robots" content="noindex,nofollow,noarchive"/> >> - - <title>Sessions Administration for <%= path %></title> >> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title> >> </head> >> <body> >> - -<h1>Sessions Administration for <%= path %></h1> >> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1> >> <p>Tips:</p> >> <ul> >> @@ -55,13 +57,13 @@ >> <form action="<%= submitUrl %>" method="post" id="sessionsForm"> >> <fieldset><legend>Active HttpSessions informations</legend> >> <input type="hidden" name="action" id="sessionsFormAction" >> value="injectSessions"/> >> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= >> (String) request.getAttribute("sort") %>"/> >> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= >> JspHelper.escapeXml(request.getAttribute("sort")) %>"/> >> <% String order = (String) request.getAttribute("order"); >> if (order == null || "".equals(order)) { >> order = "ASC"; >> } >> %> >> - - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= >> order %>"/> >> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= >> JspHelper.escapeXml(order) %>"/> >> <input type="submit" name="refresh" id="refreshButton" value="Refresh >> Sessions list" >> onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; >> return true;"/> >> <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/> >> <table border="1" cellpadding="2" cellspacing="2" width="100%"> >> @@ -95,13 +97,13 @@ >> <% Iterator iter = activeSessions.iterator(); >> while (iter.hasNext()) { >> Session currentSession = (Session) iter.next(); >> - - String currentSessionId = currentSession.getId(); >> + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); >> %> >> <tr> >> <td> >> - -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" >> /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= >> currentSessionId %>" target="_blank"><%= >> JspHelper.escapeXml(currentSessionId) %></a> >> +<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" >> /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= >> currentSessionId %>" target="_blank"><%= currentSessionId %></a> >> </td> >> - - <td style="text-align: center;"><%= >> JspHelper.guessDisplayLocaleFromSession(currentSession) %></td> >> + <td style="text-align: center;"><%= >> JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) >> %></td> >> <td style="text-align: center;"><%= >> JspHelper.guessDisplayUserFromSession(currentSession) %></td> >> <td style="text-align: center;"><%= >> JspHelper.getDisplayCreationTimeForSession(currentSession) %></td> >> <td style="text-align: center;"><%= >> JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td> >> >> >> >> *************** >> Patch for 7.0.4 >> *************** >> >> Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp >> =================================================================== >> - --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037768) >> +++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy) >> @@ -30,9 +30,10 @@ >> <% String path = (String) request.getAttribute("path"); >> Session currentSession = (Session)request.getAttribute("currentSession"); >> HttpSession currentHttpSession = currentSession.getSession(); >> - - String currentSessionId = currentSession.getId(); >> - - String submitUrl = response.encodeURL(((HttpServletRequest) >> - - pageContext.getRequest()).getRequestURL().toString()); >> + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); >> + String submitUrl = JspHelper.escapeXml(response.encodeURL( >> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + >> + "?path=" + path)); >> %> >> <head> >> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/> >> @@ -46,7 +47,7 @@ >> <title>Sessions Administration: details for <%= currentSessionId >> %></title> >> </head> >> <body> >> - -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1> >> +<h1>Details for Session <%= currentSessionId %></h1> >> <table style="text-align: left;" border="0"> >> <tr> >> @@ -55,7 +56,7 @@ >> </tr> >> <tr> >> <th>Guessed Locale</th> >> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) >> %></td> >> + <td><%= >> JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) >> %></td> >> </tr> >> <tr> >> <th>Guessed User</th> >> @@ -89,7 +90,6 @@ >> <form method="post" action="<%= submitUrl %>"> >> <div> >> - - <input type="hidden" name="path" value="<%= path %>" /> >> <input type="hidden" name="sessionId" value="<%= currentSessionId %>" /> >> <input type="hidden" name="action" value="sessionDetail" /> >> <input type="submit" value="Refresh" /> >> @@ -131,10 +131,9 @@ >> <td align="center"> >> <form method="post" action="<%= submitUrl %>"> >> <div> >> - - <input type="hidden" name="path" value="<%= path >> %>" /> >> <input type="hidden" name="action" >> value="removeSessionAttribute" /> >> <input type="hidden" name="sessionId" value="<%= >> currentSessionId %>" /> >> - - <input type="hidden" name="attributeName" >> value="<%= attributeName %>" /> >> + <input type="hidden" name="attributeName" >> value="<%= JspHelper.escapeXml(attributeName) %>" /> >> <% >> if >> ("Primary".equals(request.getAttribute("sessionType"))) { >> %> >> @@ -156,7 +155,6 @@ >> <form method="post" action="<%=submitUrl%>"> >> <p style="text-align: center;"> >> - - <input type="hidden" name="path" value="<%= path %>" /> >> <input type="submit" value="Return to session list" /> >> </p> >> </form> >> Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp >> =================================================================== >> - --- webapps/manager/WEB-INF/jsp/sessionsList.jsp (revision 1037768) >> +++ webapps/manager/WEB-INF/jsp/sessionsList.jsp (working copy) >> @@ -28,8 +28,9 @@ >> <%...@page import="org.apache.catalina.manager.DummyProxySession"%><html >> xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> >> <% String path = (String) request.getAttribute("path"); >> - - String submitUrl = response.encodeURL(((HttpServletRequest) >> - - pageContext.getRequest()).getRequestURI() + "?path=" + path); >> + String submitUrl = JspHelper.escapeXml(response.encodeURL( >> + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + >> + "?path=" + path)); >> Collection activeSessions = (Collection) >> request.getAttribute("activeSessions"); >> %> >> <head> >> @@ -41,10 +42,10 @@ >> <meta name="author" content="Cedrik LIME"/> >> <meta name="copyright" content="copyright 2005-2010 the Apache Software >> Foundation"/> >> <meta name="robots" content="noindex,nofollow,noarchive"/> >> - - <title>Sessions Administration for <%= path %></title> >> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) >> %></title> >> </head> >> <body> >> - -<h1>Sessions Administration for <%= path %></h1> >> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1> >> <p>Tips:</p> >> <ul> >> @@ -58,13 +59,13 @@ >> <form action="<%= submitUrl %>" method="post" id="sessionsForm"> >> <fieldset><legend>Active HttpSessions informations</legend> >> <input type="hidden" name="action" id="sessionsFormAction" >> value="injectSessions"/> >> - - <input type="hidden" name="sort" id="sessionsFormSort" value="<%= >> (String) request.getAttribute("sort") %>"/> >> + <input type="hidden" name="sort" id="sessionsFormSort" value="<%= >> JspHelper.escapeXml(request.getAttribute("sort")) %>"/> >> <% String order = (String) request.getAttribute("order"); >> if (order == null || "".equals(order)) { >> order = "ASC"; >> } >> %> >> - - <input type="hidden" name="order" id="sessionsFormSortOrder" >> value="<%= order %>"/> >> + <input type="hidden" name="order" id="sessionsFormSortOrder" >> value="<%= JspHelper.escapeXml(order) %>"/> >> <input type="submit" name="refresh" id="refreshButton" value="Refresh >> Sessions list" >> onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; >> return true;"/> >> <%= JspHelper.formatNumber(activeSessions.size()) %> active >> Sessions<br/> >> <table border="1" cellpadding="2" cellspacing="2" width="100%"> >> @@ -100,7 +101,7 @@ >> <% Iterator iter = activeSessions.iterator(); >> while (iter.hasNext()) { >> Session currentSession = (Session) iter.next(); >> - - String currentSessionId = currentSession.getId(); >> + String currentSessionId = >> JspHelper.escapeXml(currentSession.getId()); >> String type; >> if (currentSession instanceof DeltaSession) { >> if (((DeltaSession) currentSession).isPrimarySession()) { >> @@ -121,13 +122,13 @@ >> out.print(currentSessionId); >> } else { >> %> >> - - <a href="<%= submitUrl >> %>&action=sessionDetail&sessionId=<%= currentSessionId >> %>&sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) >> %></a> >> + <a href="<%= submitUrl >> %>&action=sessionDetail&sessionId=<%= currentSessionId >> %>&sessionType=<%= type %>"><%= currentSessionId %></a> >> <% >> } >> %> >> </td> >> <td style="text-align: center;"><%= type %></td> >> - - <td style="text-align: center;"><%= >> JspHelper.guessDisplayLocaleFromSession(currentSession) %></td> >> + <td style="text-align: center;"><%= >> JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession)) >> %></td> >> <td style="text-align: center;"><%= >> JspHelper.guessDisplayUserFromSession(currentSession) %></td> >> <td style="text-align: center;"><%= >> JspHelper.getDisplayCreationTimeForSession(currentSession) %></td> >> <td style="text-align: center;"><%= >> JspHelper.getDisplayLastAccessedTimeForSession(currentSession) %></td> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (MingW32) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQIcBAEBAgAGBQJM6r54AAoJEBDAHFovYFnn8HEP+gLTkB76D6xNffzu6bWkFXLF >> CJDKSeNJcbLeX8AGInTWPA73pndVe4c2uoW8qH31XSzrYyikR5BdQO7Fo3bZ4c1H >> 4nPdKtBciWxY43nkNQ8ZGXGP1ADDKS43uJioqPm/Hr9hzOYaNSkuw7063CQEB87B >> a0wUcG6pIdHMJEgu+CXicMWxQKpLM8IAvnLFmuiv/rkihXsZK1131r5UMX3oApD/ >> 2r82MHqRAetJ1S5h19gYuUKM4wwCrdW1GGUmC3tjA5+ocrUOYKA2WccHLMitDqh3 >> heoFQ7gLVEgqaFNSVQxYMBT1qqQN+wOxfhsghK2H49ukVdrgA7Vs71vlPz7QGmAq >> 7mlGQCfa219mSLTxt+G+u9fI3PpghodPwMEY8BeU3GuPDKze72U8oVIedO59rRJZ >> i2a1l2ob/sg/L5olyTGqMyu1cwkmx91ZAnovnUqHBpEYxVO4Nzc5N8cicN/+lEnS >> MrvsS6UzcZibLZMxmE+ILcVaoygN2wb/ERK05vXG9ou+BzyoufY+LD/aKwDvWcif >> oZv00Rl9TlQAbLYwGyUV/jvNXKAwn3WMqq6j1JH/yub+gjy5foit/cryD8N0x5p7 >> FDXQVcELhnGI9xno6+yXuMWY/z2cmuIZEuGI8Rdg0XtICy7U1Gp3/YZoUFVnU3Qt >> QLXR/d5cHVjSXgtvTGGl >> =1Wya >> -----END PGP SIGNATURE----- > >
smime.p7s
Description: S/MIME cryptographic signature