'Re: Tomcat 4.0.6 / 6.0.37 Struts 1.2.8 XSS CVE-2006-1548'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: Tomcat 4.0.6 / 6.0.37 Struts 1.2.8 XSS CVE-2006-1548
From:       Mark Thomas <markt () apache ! org>
Date:       2018-05-17 20:42:05
Message-ID: 7d98f807-957c-4177-0892-db4c340f0f79 () apache ! org
[Download RAW message or body]

On 17/05/18 17:43, Chris Bonk wrote:
> Hey Mark,
> 
> I really appreciate your reply.
> 
> I can't see anything in the revision that specifically states sanitization
> however my Java isn't the best nor my software development with regards to
> what a "Valve" would be responsible for. I suspect that worrying about XSS
> at that level isn't a concern.
> 
> Is it safe to assume that when passing a string Message to
> ServletException(message), that it can't be abused with embedded dangerous
> characters? Or is it dependant on how the exception is displayed (i.e. the
> template used for 500 errors)

It depends.

If you are using Tomcat's standard error page, then yes it is safe.

If you are using an application provided (custom) error page then it
will depend on how that page has been written.

If you use a Servlet container other than Tomcat and using the standard
error page mechanism you are probably OK but you should test it.

Mark


> 
> Cheers
> 
> On Thu, 17 May 2018 at 11:46 Mark Thomas <markt@apache.org> wrote:
> 
> > On 17 May 2018 15:46:07 BST, Chris Bonk <bonk.chris@gmail.com> wrote:
> > > Hello,
> > > 
> > > I have a strange issue, I am trying to track down the root cause for an
> > > ancient CVE-2006-1548
> > > 
> > > 
> > http://struts.1045723.n5.nabble.com/DO-NOT-REPLY-Bug-38749-New-XSS-vulnerability-in-LookupDispatchAction-td3510079.html
> > 
> > > 
> > > I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the
> > > html
> > > characters needed to inject the script are properly encoded, what is
> > > the
> > > mechanism for this? I haven't been able to determine why
> > > ServletException
> > > handles the message parameter different between versioning.
> > > 
> > > Can anyone point me in the right direction?
> > 
> > Looks like the error handling was rewritten in 4.1.x.
> > 
> > 
> > http://svn.apache.org/viewvc/tomcat/archive/tc4.1.x/trunk/container/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java?view=log
> >  
> > 286679 looks relevant.
> > 
> > I'm on my phone so checking further is tricky but I suspect this is one of
> > those grey areas in the spec where it isn't clear if the webapp or the
> > container is responsible for sanitizing the data.
> > 
> > Mark
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> > 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic