Bug 244808 (CVE-2007-2450)

Summary: CVE-2007-2450 tomcat host manager XSS
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: viveklak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.5.25-1jpp.1.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-17 05:35:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 244810, 244811, 244812, 244813, 244814, 244816, 244817, 244818, 363081, 430730, 430731, 449337    
Bug Blocks: 444136    

Description Mark J. Cox 2007-06-19 10:58:08 UTC 
According to http://tomcat.apache.org/security-5.html

low: Cross-site scripting   CVE-2007-2450

The Manager and Host Manager web applications did not escape user provided data
before including it in the output. This enabled a XSS attack. These applciations
now filter the data before use. This issue may be mitigated by logging out
(closing the browser) of the application once the management tasks have been
completed.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.24

Example:

    <form action="http://example.com:8080/manager/html/upload"
method="post" enctype="multipart/form-data">
    <INPUT TYPE="hidden"
NAME='deployWar";filename="<script>alert()</script>"
    Content-Type: image/gif' VALUE="abc">
    <input type="submit">
    </form>
Comment 7 Fedora Update System 2007-11-17 05:34:50 UTC 
tomcat5-5.5.25-1jpp.1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2007-11-17 05:37:47 UTC 
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.