Bug 489028 (CVE-2009-0781) - CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
Summary: CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
Status: CLOSED ERRATA
Alias: CVE-2009-0781
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: impact=low,source=asf,reported=200903...
Keywords: Security
Depends On: 503980 503981 504113 533903 533905 613004 613005
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-06 19:58 UTC by Vincent Danen
Modified: 2019-06-08 12:42 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-10-25 20:09:38 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1164 normal SHIPPED_LIVE Important: tomcat security update 2009-07-21 20:56:29 UTC
Red Hat Product Errata RHSA-2009:1562 normal SHIPPED_LIVE Important: tomcat security update 2009-11-09 15:26:22 UTC

Description Vincent Danen 2009-03-06 19:58:29 UTC
Quoting the upstream advisory:

The calendar application in the examples contains invalid HTML which
renders the XSS protection for the time parameter ineffective. An
attacker can therefore perform an XSS attack using the time attribute.

Mitigation:
6.0.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750924&view=rev
 - upgrade to 6.0.19 when released
5.5.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750928&view=rev
 - upgrade to 5.5.28 when released
4.1.x users should do one of the following:
 - remove the examples web application
 - apply this patch http://svn.apache.org/viewvc?rev=750927&view=rev
 - upgrade to 4.1.40 when released

Example:
http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')});

Credit:
This issue was discovered by Deniz Cevik.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

Comment 5 Vincent Danen 2009-07-21 18:06:35 UTC
Fixes are located here:

http://svn.apache.org/viewvc?rev=750924&view=rev (patch for 6.x)
http://svn.apache.org/viewvc?rev=750928&view=rev (patch for 5.x)

Comment 6 errata-xmlrpc 2009-07-21 20:56:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html

Comment 7 Murray McAllister 2009-08-17 10:09:32 UTC
Unlike the errata stated, the RHSA-2009:1164 update did not fix the CVE-2009-0781 flaw. A future update will address this issue.

Comment 10 errata-xmlrpc 2009-11-09 15:26:39 UTC
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html

Comment 16 Kurt Seifried 2011-10-25 20:09:38 UTC
All children bugs are closed, closing parent bug


Note You need to log in before you can comment on or make changes to this bug.