Bug 48577 - vulnerability in DefaultServlet
Summary: vulnerability in DefaultServlet
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.20
Hardware: All All
: P2 major (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-20 03:14 UTC by naviton
Modified: 2010-03-03 17:25 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description naviton 2010-01-20 03:14:11 UTC
when you try to import an inexisting page with js fragments in url parameters like

http://.../page.jsp?paramName="<script>alert('BT_XSS')</script>">&param2=2...
the following content is inserted into response:
"The requested resource ({URL ABOVE}) is not available."
the content is not encoded so js code from url is being executed

i think DefaultServlet should do smth like

response.getWriter().write(sm.getString("defaultServlet.missingResource",
  urlEncoder.encode(requestUri)));
but html- or xml- encoding might be better
Comment 1 Mark Thomas 2010-02-02 10:03:23 UTC
I wouldn't class this as a vulnerability as it requires both a bug (missing page) in the app and the app to pass on request parameters to the included page without validating them.

Regardless, I have added HTML filtering so the output isn't corrupted.
Comment 2 Mark Thomas 2010-02-22 21:02:20 UTC
This has been fixed in 6.0.x and will be included in 6.0.25 onwards.
Comment 3 Konstantin Kolinko 2010-03-03 17:25:59 UTC
Fixed in 5.5 in r918592, will be in 5.5.29 onwards.