Re: [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

2010-11-23 Thread Mark Thomas 
The processing of applying the digital signature to the original e-mail
made the patches hard to read. E-mail clients that can process digital
signatures should undo this formatting.

For those folks with an e-mail client that can't process OpenGPG signed
e-mail, the patches have been placed on the download mirrors as part of
the 6.0.29 and 7.0.4 distributions. To obtain the patches:

For Tomcat 6
- Open http://tomcat.apache.org/download-60.cgi
- Select 'Browse' from the Quick Navigation section
- Select the patches directory

For Tomcat 7
- Open http://tomcat.apache.org/download-70.cgi
- Select 'Browse' from the Quick Navigation section
- Select the patches directory

The Apache Tomcat Security Team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

2010-11-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
  - Not affected in default configuration.
  - Affected if CSRF protection is disabled
  - Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
  - Affected in default configuration
  - Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
  - Not affected

Description:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.

Example:
GET
/manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Ensure the CSRF protection is enabled
  - Apply the patch 7.0.4 patch (see below)
  - Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
  - Remove the Manager application
  - Remove the sessionList.jsp and sessionDetail.jsp files
  - Apply the patch for 6.0.29 (see below)
  - Update to 6.0.30 when released

No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.

Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a
result of reviewing the original issue.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html

Note: The patches The Apache Tomcat Security Team



Patch for 6.0.29


Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp   (working copy)
@@ -30,8 +30,10 @@
 % String path = (String) request.getAttribute(path);
Session currentSession =
(Session)request.getAttribute(currentSession);
HttpSession currentHttpSession = currentSession.getSession();
- -   String currentSessionId = currentSession.getId();
- -   String submitUrl =
((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(
+   ((HttpServletRequest)
pageContext.getRequest()).getRequestURI() +
+   ?path= + path);
 %
 head
 meta http-equiv=content-type content=text/html;
charset=iso-8859-1/
@@ -45,7 +47,7 @@
titleSessions Administration: details for %= currentSessionId
%/title
 /head
 body
- -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1
+h1Details for Session %= currentSessionId %/h1
  table style=text-align: left; border=0
   tr
@@ -54,7 +56,7 @@
   /tr
   tr
 thGuessed Locale/th
- -td%= JspHelper.guessDisplayLocaleFromSession(currentSession)
%/td
+td%=
JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession))
%/td
   /tr
   tr
 thGuessed User/th
@@ -120,7 +122,7 @@
String attributeName = (String)
attributeNamesEnumeration.nextElement();
 %
tr
- - td align=centerform action=%= submitUrl 
%divinput
type=hidden name=path value=%= path % /input type=hidden
name=action value=removeSessionAttribute /input type=hidden
name=sessionId value=%= currentSessionId % /input type=hidden
name=attributeName value=%= attributeName % /input type=submit
value=Remove //div/form/td
+   td align=centerform action=%= submitUrl 
%divinput
type=hidden name=action value=removeSessionAttribute /input
type=hidden name=sessionId value=%= currentSessionId % /input
type=hidden name=attributeName value=%=
JspHelper.escapeXml(attributeName) % /input type=submit
value=Remove //div/form/td
td%= JspHelper.escapeXml(attributeName) %/td
td% Object attributeValue =
currentHttpSession.getAttribute(attributeName); %span title=%=
attributeValue == null ?  : attributeValue.getClass().toString()
%%= JspHelper.escapeXml(attributeValue) %/span/td
/tr
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp