Multiple Java Servlet cross-site scripting

java-servlet-crosssite-scripting (6793) The risk level is classified as HighHigh Risk

Description:

Java servlets from multiple vendors could allow a remote attacker to execute arbitrary code on the system. A remote attacker can embed specially-crafted text into a URL that would generate an error on the server but would not execute arbitrary code on the system until a client opens a Web browser.

Platforms Affected:

  • Apache, Tomcat 4.0 Beta
  • Caucho, Resin
  • IBM, VisualAge for Java 3.5 Professional
  • IBM, WebSphere Application Server 3.0.2
  • IBM, WebSphere Application Server 3.5.2
  • Macromedia, JRun 3.0

Remedy:

For Jakarta Tomcat 3.2:
Upgrade to the latest version of Jakarta Tomcat (3.2 beta 2 or later), as listed in CHINANSL Security Advisory (CSA-200105). See References.

For Jakarta Tomcat 4.0 beta:
Upgrade to the latest version of Jakarta Tomcat (4.0 beta 2 or later), as listed in [ANNOUNCE] Tomcat 4.0 Beta 2. See References.

For Allaire Jrun 2.3.3 and 3.0:
Apply the appropriate patch for your system, as listed in Macromedia Product Security Bulletin MPSB01-06. See References.

For IBM WebSphere:
No remedy available as of July 2001.

For Resin:
No remedy available as of July 2001.

As a workaround, customize error pages.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

  • Apache Web site, Cross Site Scripting Info at http://httpd.apache.org/info/css-security/.
  • BugTraq Mailing List, Mon Jul 02 2001 - 06:31:00 CDT, Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2001-07/0021.html.
  • Macromedia Product Security Bulletin MPSB01-06, JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability) at http://www.macromedia.com/v1/handlers/index.cfm?ID=21498.
  • Macromedia Product Security Bulletin MPSB01-06, JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting vulnerability (a.k.a. JavaScript code execution vulnerability) at http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full.
  • Microsoft Security Bulletin MS00-060, Patch Available for 'IIS Cross-Site Scripting' Vulnerabilities at http://www.microsoft.com/technet/security/bulletin/ms00-060.mspx.
  • Resin Change Log, 1.2.4 - April 11, 2001 at http://www.caucho.com/products/resin/changes.xtp.
  • Texas Metronet Web site, [ANNOUNCE] Tomcat 4.0 Beta 2 at http://w4.metronet.com/~wjm/tomcat/2001/Mar/msg01028.html.
  • Texas Metronet Web site, Re: CHINANSL Security Advisory(CSA-200105) at http://w4.metronet.com/~wjm/tomcat/2001/Mar/msg00947.html.
  • BID-2969: IBM WebSphere Cross-Site Scripting Vulnerability
  • BID-2981: Caucho Technology Resin Cross-Site Scripting Vulnerability
  • BID-2982: Apache Tomcat Cross-Site Scripting Vulnerability
  • BID-2983: Allaire JRun Cross-Site Scripting Vulnerability
  • CVE-2001-0824: Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 allows remote attackers to execute Javascript by inserting the Javascript into (1) a request for a .JSP file, or (2) a request to the webapp/examples/ directory, which inserts the Javascript into an error page.
  • CVE-2001-0828: A cross-site scripting vulnerability in Caucho Technology Resin before 1.2.4 allows a malicious webmaster to embed Javascript in a hyperlink that ends in a .jsp extension, which causes an error message that does not properly quote the Javascript.
  • CVE-2001-0829: A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message.
  • CVE-2001-1084: Cross-site scripting vulnerability in Allaire JRun 3.0 and 2.3.3 allows a malicious webmaster to embed Javascript in a request for a .JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which causes the Javascript to be inserted into an error message.
  • CVE-2001-1121: DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-2001-1084.
  • CVE-2001-1441: Cross-site scripting (XSS) vulnerability in VisualAge for Java 3.5 Professional allows remote attackers to execute JavaScript on other clients via the URL, which injects the script in the resulting error message.
  • OSVDB ID: 1890: Caucho Resin Java Servlet Error Page XSS
  • OSVDB ID: 1891: Allaire JRun Java Servlet Error Page XSS
  • US-CERT VU#270083: IBM VisualAge Professional vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#560659: IBM WebSphere vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#654643: Allaire JRun Java Application Server vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#672683: Apache Tomcat vulnerable to Cross-Site Scripting via passing of user input directly to default error page
  • US-CERT VU#981651: Caucho Technologies Resin vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Reported:

Jul 02, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page