Bug 489028 - (CVE-2009-0781) CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
impact=low,source=asf,reported=200903...
: Security
Depends On: 503980 503981 504113 533903 533905 613004 613005
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-06 14:58 EST by Vincent Danen
Modified: 2016-03-04 06:25 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-25 16:09:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-03-06 14:58:29 EST
Quoting the upstream advisory:

The calendar application in the examples contains invalid HTML which
renders the XSS protection for the time parameter ineffective. An
attacker can therefore perform an XSS attack using the time attribute.

Mitigation:
6.0.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750924&view=rev
 - upgrade to 6.0.19 when released
5.5.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750928&view=rev
 - upgrade to 5.5.28 when released
4.1.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750927&view=rev
 - upgrade to 4.1.40 when released

Example:
http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')});

Credit:
This issue was discovered by Deniz Cevik.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
Comment 5 Vincent Danen 2009-07-21 14:06:35 EDT
Fixes are located here:

http://svn.apache.org/viewvc?rev=750924&view=rev (patch for 6.x)
http://svn.apache.org/viewvc?rev=750928&view=rev (patch for 5.x)
Comment 6 errata-xmlrpc 2009-07-21 16:56:45 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Comment 7 Murray McAllister 2009-08-17 06:09:32 EDT
Unlike the errata stated, the RHSA-2009:1164 update did not fix the CVE-2009-0781 flaw. A future update will address this issue.
Comment 10 errata-xmlrpc 2009-11-09 10:26:39 EST
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
Comment 16 Kurt Seifried 2011-10-25 16:09:38 EDT
All children bugs are closed, closing parent bug

Note You need to log in before you can comment on or make changes to this bug.