CERT-In Vulnerability Note CIVN-2008-71
Apache Tomcat Host Manager "name" Cross-Site Scripting Vulnerability
Original Issue Date:
June 05, 2008
Severity Rating:
Medium
System Affected
- Apache Tomcat 5.5.9 to 5.5.26
- Apache Tomcat 6.0.0 to 6.0.16
Overview
A vulnerability has been reported in Apache Tomcat, which can be exploited by an attacker to conduct cross-site scripting attacks.
Description
This vulnerability is due to an input validation error in the "host-manager/html/add" script. The user supplied hostname attribute is not filtered before being included in the output. This issue can be exploited by an attacker to execute arbitrary HTML and script code in a logged in user's browser session in the context of an affected site.
Workarounds
- Do not visit untrusted sites while logged in to the host-manager application.
- Log out (close the browser) once finished with the host-manager.
Vendor Information
Apache Tomcat
http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html
References
FrSIRT
http://www.frsirt.com/english/advisories/2008/1725
Secunia
http://secunia.com/advisories/30500/
CVE-Name
CVE-2008-1947
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
