Bug 489028 (CVE-2009-0781)

Summary: CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dbhole, devrim, dknox, dwalluck, kreilly, kseifried, mmcallis, mschoene, rafaels, viveklak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0781
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-25 20:09:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 503980, 503981, 504113, 533903, 533905, 613004, 613005    
Bug Blocks:    

Description Vincent Danen 2009-03-06 19:58:29 UTC
Quoting the upstream advisory:

The calendar application in the examples contains invalid HTML which
renders the XSS protection for the time parameter ineffective. An
attacker can therefore perform an XSS attack using the time attribute.

Mitigation:
6.0.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750924&view=rev
 - upgrade to 6.0.19 when released
5.5.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750928&view=rev
 - upgrade to 5.5.28 when released
4.1.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750927&view=rev
 - upgrade to 4.1.40 when released

Example:
http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')});

Credit:
This issue was discovered by Deniz Cevik.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

Comment 5 Vincent Danen 2009-07-21 18:06:35 UTC
Fixes are located here:

http://svn.apache.org/viewvc?rev=750924&view=rev (patch for 6.x)
http://svn.apache.org/viewvc?rev=750928&view=rev (patch for 5.x)

Comment 6 errata-xmlrpc 2009-07-21 20:56:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html

Comment 7 Murray McAllister 2009-08-17 10:09:32 UTC
Unlike the errata stated, the RHSA-2009:1164 update did not fix the CVE-2009-0781 flaw. A future update will address this issue.

Comment 10 errata-xmlrpc 2009-11-09 15:26:39 UTC
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html

Comment 16 Kurt Seifried 2011-10-25 20:09:38 UTC
All children bugs are closed, closing parent bug