Multiple Java Servlet cross-site scripting

java-servlet-crosssite-scripting (6793) The risk level is classified as HighHigh Risk

Description:

Java servlets from multiple vendors could allow a remote attacker to execute arbitrary code on the system. A remote attacker can embed specially-crafted text into a URL that would generate an error on the server but would not execute arbitrary code on the system until a client opens a Web browser.


Consequences:

Gain Access

Remedy:

For Jakarta Tomcat 3.2:
Upgrade to the latest version of Jakarta Tomcat (3.2 beta 2 or later), as listed in CHINANSL Security Advisory (CSA-200105). See References.

For Jakarta Tomcat 4.0 beta:
Upgrade to the latest version of Jakarta Tomcat (4.0 beta 2 or later), as listed in [ANNOUNCE] Tomcat 4.0 Beta 2. See References.

For Allaire Jrun 2.3.3 and 3.0:
Apply the appropriate patch for your system, as listed in Macromedia Product Security Bulletin MPSB01-06. See References.

For IBM WebSphere:
No remedy available as of July 2001.

For Resin:
No remedy available as of July 2001.

As a workaround, customize error pages.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • Apache Web site: Cross Site Scripting Info.
  • BugTraq Mailing List, Mon Jul 02 2001 - 06:31:00 CDT: Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability.
  • Macromedia Product Security Bulletin MPSB01-06: JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability).
  • Macromedia Product Security Bulletin MPSB01-06: JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability).
  • Microsoft Security Bulletin MS00-060: Patch Available for 'IIS Cross-Site Scripting' Vulnerabilities.
  • Resin Change Log: 1.2.4 - April 11, 2001.
  • Texas Metronet Web site: [ANNOUNCE] Tomcat 4.0 Beta 2.
  • Texas Metronet Web site: Re: CHINANSL Security Advisory(CSA-200105).
  • BID-2969: IBM WebSphere Cross-Site Scripting Vulnerability
  • BID-2981: Caucho Technology Resin Cross-Site Scripting Vulnerability
  • BID-2982: Apache Tomcat Cross-Site Scripting Vulnerability
  • BID-2983: Allaire JRun Cross-Site Scripting Vulnerability
  • CVE-2001-0824: Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 allows remote attackers to execute Javascript by inserting the Javascript into (1) a request for a .JSP file, or (2) a request to the webapp/examples/ directory, which inserts the Javascript into an error page.
  • CVE-2001-0828: A cross-site scripting vulnerability in Caucho Technology Resin before 1.2.4 allows a malicious webmaster to embed Javascript in a hyperlink that ends in a .jsp extension, which causes an error message that does not properly quote the Javascript.
  • CVE-2001-0829: A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message.
  • CVE-2001-1084: Cross-site scripting vulnerability in Allaire JRun 3.0 and 2.3.3 allows a malicious webmaster to embed Javascript in a request for a .JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which causes the Javascript to be inserted into an error message.
  • CVE-2001-1121: DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-2001-1084.
  • CVE-2001-1441: Cross-site scripting (XSS) vulnerability in VisualAge for Java 3.5 Professional allows remote attackers to execute JavaScript on other clients via the URL, which injects the script in the resulting error message.
  • OSVDB ID: 15790: IBM WebSphere Application Server (WAS) Error Page XSS
  • OSVDB ID: 1890: Caucho Resin Java Servlet Error Page XSS
  • OSVDB ID: 1891: Allaire JRun Java Servlet Error Page XSS
  • OSVDB ID: 3880: VisualAge Java Servlet Error Page XSS
  • OSVDB ID: 829: IBM WebSphere Application Server (WAS) Java Servlet Error Page XSS
  • OSVDB ID: 844: Apache Tomcat Java Servlet Error Page XSS
  • US-CERT VU#270083: IBM VisualAge Professional vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#560659: IBM WebSphere vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#654643: Allaire JRun Java Application Server vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#672683: Apache Tomcat vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#981651: Caucho Technologies Resin vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Platforms Affected:

  • Apache Tomcat 4.0 Beta
  • Caucho Resin
  • IBM VisualAge for Java 3.5 Professional
  • IBM WebSphere Application Server 3.0.2
  • IBM WebSphere Application Server 3.5.2
  • Macromedia JRun 3.0

Reported:

Jul 02, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page