-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Carl,
On 11/1/16 5:11 PM, Carl K. wrote: > Control Scan has returned this as a vulnerability in Tomcat > 8.0.38: > > Vulnerable version of Apache Tomcat: 8.0.38 > > Risk: High (3) Port: 443/tcp Protocol: tcp Threat ID: > web_dev_tomcatver > > Details: 404 Error Page Cross Site Scripting Vulnerability > 12/21/09 Apache Tomcat is prone to a cross-site scripting > vulnerability because it fails to properly sanitize user-supplied > input. An attacker may leverage this issue to execute arbitrary > script code in the browser of an unsuspecting user in the context > of the affected site. Apache Tomcat mitigates HTTP_PROXY > environment variable "httpoxy" issue > > I have read everything I can find and it still doesn't make > sense... can someone help to point me in the correct direction? > > I am further puzzled because this is the first time this has come > up and we run Tomcat for years... note that the date is listed as > 12-21-2009. Technically, this is not a vulnerability in Tomcat (or any reverse-proxy, such as httpd) but it does represent a failure to protect stupid command-line utilities from making bad decisions about trusting environment variables. Long story short, if using the CGI Servlet, any headers coming from the request are set as HTTP_* environment variables on a script that is executed as a CGI script. Notably, python, Perl, and PHP (and others) use an environment variable called HTTP_PROXY to indicate the presence of a forward-proxy to be used for outgoing HTTP connections. Thus, setting a "Proxy" header in an HTTP request to Tomcat will result in a CGI script seeing that value in the HTTP_PROXY environment variable. This could present a problem in your environment, but is possible to mitigate in a number of different ways. https://www.apache.org/security/asf-httpoxy-response.txt I have no idea where your scanner got the date 2009-12-21. Perhaps they took the recently-disclosed CVE (CVE-2016-5388 -- note the year on that CVE identifier) and made a best-guess of when the product was first vulnerable. The first beta version of Tomcat 7 wasn't available until 2010, so perhaps they were considering Tomcat 6 as well. But Tomcat 6's history goes back well before that. Honestly, I think they may have picked that date out of the air. At any rate, you are safe if any of the following are true: 1. You don't use the CGI servlet 2. You don't use any scripts that use HTTP_PROXY in this manner (this is a weak criteria, since you may not KNOW if you are using such scripts) 3. You don't allow outgoing HTTP requests from your application servers, and no error messages produces by those scripts would leak any information like URLs, etc. 4. If you have a reverse-proxy (e.g. httpd) and explicitly remove any "proxy" headers from incoming HTTP requests Mitigation is possible through a variety of means. If you aren't vulnerable, this scan is likely to complain merely because of the version number of Tomcat and the fact that this CVE hasn't officially been closed, yet. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYGQhlAAoJEBzwKT+lPKRYaxQP+waQq2j3Jb8L6VgFoBoMGvZl SVekwwOHR6L4aEhoLw/ETD1v7U7w0uapNmDgZ56ZtX83dr9S2OqWdtYF1xrVwM8m /Plwn8eR5oX+0Xq+FzSUS3OQp/I+kKdlU/4JhLtGGPgx2c7uW+mE8mCcfDYIn1ro fYMxvSmWkRLAJ8lRuIwQ4mA7UvkrTb2mlIQfceoKc/SbmVFFCNd49GIHD9uRi+GZ 9tPADCY82LVpDJxA3PmuT5skazuYUGuYnZ1j3FEUrUMnFlKjrDzxjJXiGz7UPfLa 8xmyP3DgaJTSJN6izwC0sNgdsqKiyM1A2/CPbLQtkLjaGB0WDzDq1rENRhHS9512 qg4EL4EPyfuwf+9k8v4Svm/quHTHD9HVs8cWrWEfJc3f1QWSSbLhOv1UcIE6wfNZ EBaBbJHZqIxG3ECvM+CgHjSIA1sQCObC5ltOIaQuLHAbUhvj1uDxcjj823sS5tZp LZuZOJNLo4NHWHpDu71YkzPbiQCuka7m6WkXgWDzLvyK2BxCXCJD/ifabbVh82+h PDXXuLYVSgYtQoQipcZ8qNlaMBik+IGpSzkp7YsEiHD38eJxxQEfjov4/MJtHjKs zfTwhjAT0GwpFicpHUXyzUNq3lDERQO6wlq3VRtgNxaKxFMqX9gn0AUYyMZ0NH2N dtrZR8YGCgO1QBGpCOcI =neSa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
