COMMAND

	Apache tomcat XSS

SYSTEMS AFFECTED

	Apache Tomcat v4.0.3

PROBLEM

	In  Matt   Moore   [matt@westpoint.ltd.uk]   advisory   [ID#:wp-02-0008]
	[http://www.westpoint.ltd.uk] :
	

	By using the /servlet/ mapping to invoke various servlets /  classes  it
	is possible  to  cause  Tomcat  to  throw  an  exception,  allowing  XSS
	attacks:
	

	tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/SCRIPTalert(document.domain)/SCRIPT 

	tomcat-server/servlet/org.apache.catalina.ContainerServlet/SCRIPTalert(document.domain)/SCRIPT 

	tomcat-server/servlet/org.apache.catalina.Context/SCRIPTalert(document.domain)/SCRIPT 

	tomcat-server/servlet/org.apache.catalina.Globals/SCRIPTalert(document.domain)/SCRIPT 

	

	Linux and Win32 versions of Tomcat are vulnerable.
	

	The DOS device name physical path disclosure bug  reported  recently  by
	Peter Grundl can also be used to perform XSS attacks, e.g:
	

	tomcat-server/COM2.IMG%20src= \"Javascript:alert(document.domain)\"

	

	This is obviously Win32 specific.

SOLUTION

	Upgrading to v4.1.3 beta resolves the DOS device name XSS issue.
	

	The workaround for the other XSS issues described above is as follows:
	

	The \"invoker\" servlet (mapped to /servlet/), which executes  anonymous
	servlet classes that have not been defined in a web.xml file  should  be
	unmapped.
	

	The entry for this can be found in the  /tomcat-install-dir/conf/web.xml
	file.
	

	Two  Nessus  plugins   should   be   available   to   test   for   these
	vulnerabilities from www.nessus.org:
	

	apache_tomcat_DOS_Device_XSS.nasl

	apache_tomcat_Servlet_XSS.nasl

	

	This advisory is available online at:
	

	http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt