Privacy and Legal Notice

CIAC INFORMATION BULLETIN

R-312: Apache Tomcat Vulnerability

[Security-4]

July 25, 2007 19:00 GMT
PROBLEM: The example SendMailServlet page that comes with Apache Tomcat is vulnerable to cross-site scripting via the "From" field.
PLATFORM: Apache Tomcat
   4.0.0 to 4.0.6
   4.1.0 to 4.1.36
DAMAGE: A remote attacker may be able to execute arbitrary script within the security context of the web site running Apache Tomcat.
SOLUTION: There is no know solution. Please see the bulletin for recommendations.
VULNERABILITY
ASSESSMENT:		 The risk is LOW. A remote attacker may be able to execute arbitrary script within the security context of the web site running Apache Tomcat.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-312.shtml
  ORIGINAL BULLETIN: http://tomcat.apache.org/security-4.html
  PATCHES: US-CERT CERT Advisory CAA-2000-02 http://www.cert.org/advisories/CA-2000-02.html
  CVE: CVE-2007-3383 
[***** Start Security-4 *****]

low: Cross-site scripting CVE-2007-3383

When reporting error messages, the SendMailServlet (part of the examples web application) did not escape user provided data before including it in the output. This enabled a XSS attack. This Servlet now filters the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36




[***** End Security-4 *****]
CIAC wishes to acknowledge the contributions of Apache for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]