Bug 489028 (CVE-2009-0781) - CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
Summary: CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0781
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On: 503980 503981 504113 533903 533905 613004 613005
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-06 19:58 UTC by Vincent Danen
Modified: 2021-11-12 19:56 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-25 20:09:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1164 0 normal SHIPPED_LIVE Important: tomcat security update 2009-07-21 20:56:29 UTC
Red Hat Product Errata RHSA-2009:1562 0 normal SHIPPED_LIVE Important: tomcat security update 2009-11-09 15:26:22 UTC

Description Vincent Danen 2009-03-06 19:58:29 UTC 
Quoting the upstream advisory:

The calendar application in the examples contains invalid HTML which
renders the XSS protection for the time parameter ineffective. An
attacker can therefore perform an XSS attack using the time attribute.

Mitigation:
6.0.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750924&view=rev
 - upgrade to 6.0.19 when released
5.5.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750928&view=rev
 - upgrade to 5.5.28 when released
4.1.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750927&view=rev
 - upgrade to 4.1.40 when released

Example:
http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')});

Credit:
This issue was discovered by Deniz Cevik.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
Comment 5 Vincent Danen 2009-07-21 18:06:35 UTC 
Fixes are located here:

http://svn.apache.org/viewvc?rev=750924&view=rev (patch for 6.x)
http://svn.apache.org/viewvc?rev=750928&view=rev (patch for 5.x)
Comment 6 errata-xmlrpc 2009-07-21 20:56:45 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Comment 7 Murray McAllister 2009-08-17 10:09:32 UTC 
Unlike the errata stated, the RHSA-2009:1164 update did not fix the CVE-2009-0781 flaw. A future update will address this issue.
Comment 10 errata-xmlrpc 2009-11-09 15:26:39 UTC 
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
Comment 16 Kurt Seifried 2011-10-25 20:09:38 UTC 
All children bugs are closed, closing parent bug
Note You need to log in before you can comment on or make changes to this bug.