the funny part is I hit this issue everytime I assess an application
configured with tomcat and was under the impression that it is already
a known issue... :)
On 6/19/07, Mark Thomas [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language
header processing
Severity:
Low (cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.0.0 to 4.0.6
Tomcat 4.1.0 to 4.1.34
Tomcat 5.0.0 to 5.0.30
Tomcat 5.5.0 to 5.5.20
Tomcat 6.0.0 to 6.0.5
Description:
Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted
malicious Flash files to make requests with such custom headers.
Tomcat now ignores invalid values for Accept-Language headers that do
not conform to RFC 2616.
Mitigation:
1. Upgrade to fixed version
2. Escape values obtained from Accept-Language header before use.
Credit:
This issue was reported by Masato Anzai and Toshiharu Sugiyama.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGdxWMb7IeiTPGAkMRAgDgAJkBG6sVBDP/8yxGrZ7CqvEXPNW1mACgiL8M
CyWgpvE5125qciTSYPJbOgU=
=A84r
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
