Cross-site scripting through sendError (CVE-2008-1232)

Bug #256926 reported by Thierry Carrez on 2008-08-11
254
Affects Status Importance Assigned to Milestone
tomcat5.5 (Debian)
Fix Released
Unknown
tomcat5.5 (Ubuntu)
Low
Thierry Carrez
Hardy
Low
Thierry Carrez
tomcat6 (Ubuntu)
Undecided
Thierry Carrez
Hardy
Undecided
Unassigned

Bug Description

CVE-2008-1232
The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.

Affects: 6.0.0-6.0.16, 5.5.0-5.5.26

Changed in tomcat5.5:
status: Unknown → New
Thierry Carrez (ttx) on 2008-08-21
Changed in tomcat6:
assignee: nobody → tcarrez
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu1

---------------
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on
    default-jre-headless | java6-runtime-headless

 -- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200

Changed in tomcat6:
status: In Progress → Fix Released
Thierry Carrez (ttx) wrote :

That would be the patch for the 5.5.x line: http://svn.apache.org/viewvc?rev=680947&view=rev

Changed in tomcat5.5:
importance: Undecided → Low
status: New → Confirmed
Thierry Carrez (ttx) on 2008-09-09
Changed in tomcat5.5:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Changed in tomcat6:
status: New → Invalid
Thierry Carrez (ttx) on 2008-09-15
Changed in tomcat5.5:
assignee: nobody → tcarrez
importance: Undecided → Low
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat5.5 - 5.5.26-3ubuntu1

---------------
tomcat5.5 (5.5.26-3ubuntu1) intrepid; urgency=low

  * Fix tomcat5.5 Java environment to match status of Java in intrepid:
    - control: Moved Java runtime deps to libtomcat5.5-java
    - control: Depends on default-jre-headless | java2-runtime-headless
    - tomcat5.5.init: Fix JVM list to match java2-runtime-headless
    - rules, control: Builds with default-jdk, libecj-java build-dep added
    - Fixes LP: #212521, LP: #179447
  * tomcat5.5.postinst: Removed superfluous /etc/tomcat5.5/tomcat5.5 linking
  * rules, tomcat5.5.init: implement TearDown spec
  * tomcat5.5.install: don't install catalina.policy (LP: #112626)
  * Fix CVE-2008-1232 cross-site scripting vulnerability (LP: #256926)
  * Fix CVE-2008-2370 information disclosure vulnerability (LP: #256922)
  * Fix CVE-2008-2938 directory traversal (LP: #256802)

 -- Thierry Carrez <email address hidden> Wed, 10 Sep 2008 12:00:09 +0200

Changed in tomcat5.5:
status: In Progress → Fix Released
Changed in tomcat5.5:
status: In Progress → Fix Released
Changed in tomcat5.5:
status: New → Fix Committed
Changed in tomcat5.5:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.