SecurityReason - Tomcat host-manager XSS vulnerability

Register | Forget Password | Login

	SecurityReason
News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

	WLB
WLB Database

Send to WLB

About WLB

	RSS
News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

	Corporate
Contact

About us

	Services
SecurePHP


	Note
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive : exploit()securityreason()com

Details : SecurityAlert

Topic :

Tomcat host-manager XSS vulnerability

SecurityAlert : 3919

CVE : CVE-2008-1947

SecurityRisk : Low alert

alert

(About)

Remote Exploit : Yes

Local Exploit : No

Victim interaction required : No

Exploit Given : No

Credit : Mark Thomas

Published : 05.06.2008

Affected Software :

Tomcat 5.5.9 to 5.5.26
Tomcat 6.0.0 to 6.0.16

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-1947: Tomcat host-manager XSS vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Tomcat 5.5.9 to 5.5.26
Tomcat 6.0.0 to 6.0.16
This issue has been fixed in the source repositories for each version and
will be included in 5.5.27 and 6.0.17. It is anticipated that these
versions will be released shortly.

Description:
The user supplied hostname attribute is not filtered before being included
in the output.

Mitigation:
Do not visit untrusted sites whilst logged in to the host-manager
application and log out (close the browser) once finished with the
host-manager.

Example:
Assume that after logged in, the victim was lead to the malicious web
server with following file installed.
<form action="http://localhost:8080/host-manager/html/add" method="get">
~ <INPUT TYPE="hidden" NAME='name' VALUE="<script>alert()</script>">
~ <INPUT TYPE="hidden" NAME='aliases' VALUE="somealias">
~ <input type="submit">
</form>

Credit:
These issues were discovered by Petr Splichal of RedHat.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhEahEACgkQb7IeiTPGAkOQggCgirNfHSCkMDhcEzG6Ig1N0WzP
qesAoKXePHeBKaB0VzeBoowW5kvZpBQx
=4nQe
-----END PGP SIGNATURE-----

Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.

	Alert
BSD libc (strfmon) Multiple vulnerabilities - 2008-03-25 Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected BSD systems.


	Apache
» Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

» Apache Tomcat information disclosure vulnerability

» Apache Tomcat XSS vulnerability

» Apache-SSL memory disclosure



	PHP
» PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass

» PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

» PHP 5.2.5 and prior : *printf() functions Integer Overflow

» PHP 5.2.5 cURL safe_mode bypass

Copyright © SecurityReason. All Rights Reserved.