Bug 532656 (CVE-2009-3579)

Summary: CVE-2009-3579 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jjohnstn, overholt, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-22 07:50:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 532733    
Bug Blocks:    

Description Tomas Hoger 2009-11-03 11:13:11 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3579 to the following vulnerability:

Cross-site scripting (XSS) vulnerability in the CookieDump.java sample
application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote
attackers to inject arbitrary web script or HTML via the Value
parameter in a GET request to cookie/.

Core Security Technologies advisory CORE-2009-0922:
http://www.coresecurity.com/content/jetty-persistent-xss

Sample XSS:
http://localhost:8088/cookie/?Name=a&Value=<script>alert('XSS;)</script>&Age=600

Note: Issue is not fixed in 6.1.21 as noted in CORE-2009-0922.  This should be a proper upstream fix to be included in 6.1.22:
http://fisheye.codehaus.org/changelog/jetty/?cs=5571

This sample servlet is not shipped with jetty 5.x packages, but in included in 6.x and demo applications are deployed by default.
Comment 1 Vincent Danen 2009-11-03 16:37:36 UTC 
This issue affects Fedora 12 (6.1.20) and rawhide (6.1.21) and should be corrected prior to the Fedora 12 release.
Comment 3 Jeff Johnston 2009-11-03 20:16:45 UTC 
Upstream patch applied to Fedora 12 and rawhide.
Comment 5 Tomas Hoger 2010-01-22 07:50:05 UTC 
Example applications are no longer included in jetty 6.x packages.