BID:25531

Apache Tomcat Cal2.JSP Cross-Site Scripting Vulnerability

Info

Apache Tomcat Cal2.JSP Cross-Site Scripting Vulnerability

Bugtraq ID:	25531
Class:	Input Validation Error
CVE:	CVE-2006-7196 CVE-2007-4724
Remote:	Yes
Local:	No
Published:	Sep 04 2007 12:00AM
Updated:	Mar 19 2015 09:14AM
Credit:	Tushar Vartak is credited with the discovery of this vulnerability.
Vulnerable:	SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE SUSE Linux Enterprise 10 SP1 DEBUGINFO SuSE openSUSE 10.3 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. SuSE Linux Open-Xchange 4.1 S.u.S.E. openSUSE 10.2 S.u.S.E. openSUSE 10.1 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 1 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Office Server S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop SDK 9.0 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 1.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Desktop 1.0 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc RedHat Network Satellite (for RHEL 4) 4.2 Red Hat Red Hat Network Satellite Server 5.0 Red Hat Red Hat Network Satellite Server 4.2 Red Hat Network Satellite (for RHEL 3) 4.2 Computer Associates Cohesion Application Configuration Manager 4.5 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 5.0.30 Apache Software Foundation Tomcat 5.0.28 Apache Software Foundation Tomcat 5.0.19 Apache Software Foundation Tomcat 5.0.16 Apache Software Foundation Tomcat 5.0.15 Apache Software Foundation Tomcat 5.0.14 Apache Software Foundation Tomcat 5.0.13 Apache Software Foundation Tomcat 5.0.12 Apache Software Foundation Tomcat 5.0.11 Apache Software Foundation Tomcat 5.0.10 Apache Software Foundation Tomcat 5.0.9 Apache Software Foundation Tomcat 5.0.8 Apache Software Foundation Tomcat 5.0.7 Apache Software Foundation Tomcat 5.0.6 Apache Software Foundation Tomcat 5.0.5 Apache Software Foundation Tomcat 5.0.4 Apache Software Foundation Tomcat 5.0.3 Apache Software Foundation Tomcat 5.0.2 Apache Software Foundation Tomcat 5.0.1 Apache Software Foundation Tomcat 5.0 Apache Software Foundation Tomcat 4.1.31 Apache Software Foundation Tomcat 4.1.24 Apache Software Foundation Tomcat 4.1.12 Apache Software Foundation Tomcat 4.1.10 Apache Software Foundation Tomcat 4.1.3 beta Apache Software Foundation Tomcat 4.1 - BSDI BSD/OS 4.0 - Caldera OpenLinux 2.4 - Conectiva Linux 5.1 - Debian Linux 2.3 - Debian Linux 2.2 - Debian Linux 2.1 - Digital UNIX 4.0 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.5 - Mandriva Linux Mandrake 7.1 - Mandriva Linux Mandrake 7.0 - NetBSD NetBSD 1.4.2 x86 - NetBSD NetBSD 1.4.1 x86 - RedHat Linux 6.2 i386 - RedHat Linux 6.1 i386 - SGI IRIX 6.5 - SGI IRIX 6.4 - SGI IRIX 3.3 - Sun Solaris 8_sparc - Sun Solaris 7.0 Apache Software Foundation Tomcat 4.0.6 + Gentoo Linux 1.4 _rc3 + Gentoo Linux 1.4 _rc2 + Gentoo Linux 1.4 _rc1 + Gentoo Linux 1.2 Apache Software Foundation Tomcat 4.0.5 Apache Software Foundation Tomcat 4.0.4 Apache Software Foundation Tomcat 4.0.3 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha Apache Software Foundation Tomcat 4.0.2 Apache Software Foundation Tomcat 4.0.1 - BSDI BSD/OS 4.0 - Caldera OpenLinux 2.4 - Conectiva Linux 5.1 - Debian Linux 2.2 - Debian Linux 2.1 - Digital UNIX 4.0 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - Mandriva Linux Mandrake 7.1 - Mandriva Linux Mandrake 7.0 - NetBSD NetBSD 1.4.2 x86 - NetBSD NetBSD 1.4.1 x86 - RedHat Linux 6.2 i386 - RedHat Linux 6.1 i386 - SGI IRIX 6.5 - SGI IRIX 6.4 - SGI IRIX 3.3 - Sun Solaris 8_sparc - Sun Solaris 7.0 Apache Software Foundation Tomcat 4.0 - BSDI BSD/OS 4.0 - Caldera OpenLinux 2.4 - Conectiva Linux 5.1 - Debian Linux 2.2 - Debian Linux 2.1 - Digital UNIX 4.0 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - Mandriva Linux Mandrake 7.1 - Mandriva Linux Mandrake 7.0 - NetBSD NetBSD 1.4.2 x86 - NetBSD NetBSD 1.4.1 x86 - RedHat Linux 6.2 i386 - RedHat Linux 6.1 i386 - SGI IRIX 6.5 - SGI IRIX 6.4 - Sun Solaris 8_sparc - Sun Solaris 7.0 Apache Software Foundation Tomcat 4.0.0 RC2

Not Vulnerable:	Computer Associates Cohesion Application Configuration Manager 4.5 SP1 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.0.31 Apache Software Foundation Tomcat 4.1.32 Apache Software Foundation Tomcat 4.0.7

Discussion

Apache Tomcat Cal2.JSP Cross-Site Scripting Vulnerability

Apache Tomcat is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects Apache Tomcat 4.1.31; other versions may also be affected.

Exploit / POC

Apache Tomcat Cal2.JSP Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

The following proof-of-concept URI is available:

http://www.example.com/examples/jsp/cal/cal2.jsp?time=8am%3cscript%3ealert("XSS!")%3c%2fscript%3e

Solution / Fix

Apache Tomcat Cal2.JSP Cross-Site Scripting Vulnerability

Solution:
The vendor released updates to address this issue. Please see the references for more information.

Apache Software Foundation Tomcat 4.1