Bug 532693 (CVE-2009-4609, CVE-2009-4610, CVE-2009-4612) - CVE-2009-4609 CVE-2009-4610 CVE-2009-4612 jetty: multiple XSS and information leaks in demo servlets
Summary: CVE-2009-4609 CVE-2009-4610 CVE-2009-4612 jetty: multiple XSS and information...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-4609, CVE-2009-4610, CVE-2009-4612
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 532733
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-03 14:58 UTC by Tomas Hoger
Modified: 2019-09-29 12:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-22 07:50:02 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2009-11-03 14:58:53 UTC
ush.it reported multiple flaws affecting jetty 6.x and 7.x:

  http://www.ush.it/2009/10/25/jetty-6x-and-7x-multiple-vulnerabilities/

Following information leaks problems are reported for demo applications:

 A) "Dump Servlet" information leak
    (Affected versions: Any)

 B) "FORM Authentication demo" information leak
    (Affected versions: Any)

and XSS issues:

 C) "JSP Dump" reflected XSS
    (Affected versions: Any)

 D) "Session Dump Servlet" stored XSS
    (Affected versions: Any)

 G) "Cookie Dump Servlet" stored XSS
    (Affected versions: =<6.1.20)

 H) WebApp JSP Snoop page XSS
    (Affected versions: =<6.1.21)

Comment 1 Tomas Hoger 2009-11-03 14:59:48 UTC
Local copy of the advisory:
  https://bugzilla.redhat.com/show_bug.cgi?id=532675#c1

Comment 2 Tomas Hoger 2009-11-03 15:01:13 UTC
As noted in the advisory, 'G) "Cookie Dump Servlet" stored XSS' was previously made public via Core Security advisory - see CVE-2009-3579 / bug #532656.

Comment 3 Tomas Hoger 2009-11-03 16:58:44 UTC
I'm not sure why A) and B) are considered information leaks.

Dump Servlet mostly contains information relevant to the current connection that is already known to the client.  For the rest, it's purpose of that demo to dump that info, so it's not really a flaw in jetty, rather in production deployment where that demo is not disabled.

For the FORM Authentication demo, the only leak mentioned is an information that jetty is running on the host.  Server (including version) identification in HTTP reply header is as good, if not better, source of such info.

I'm not sure if upstream is going to do anything about those.

Comment 4 Tomas Hoger 2009-11-03 16:59:36 UTC
I don't see any fix for the other XSS issues committed in upstream SVN so far, but the fixes should appear in 6.1.22.

Comment 17 Tomas Hoger 2010-01-22 07:50:02 UTC
Example applications are no longer included in jetty 6.x packages.


Note You need to log in before you can comment on or make changes to this bug.