Apache Tomcat Manager application XSS vulnerability detection rule – CVE-2010-4172
아래가 취약점 관련 내용이다.
CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Severity: Tomcat 7.0.x – Low, Tomcat 6.0.x – Moderate
Vendor: The Apache Software Foundation
Versions Affected:
– – Tomcat 7.0.0 to 7.0.4
– Not affected in default configuration.
– Affected if CSRF protection is disabled
– Additional XSS issues if web applications are untrusted
– – Tomcat 6.0.12 to 6.0.29
– Affected in default configuration
– Additional XSS issues if web applications are untrusted
– – Tomcat 5.5.x
– Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted.
Example:
GET /manager/html/sessions?path=/&sort=”><script>alert(‘xss’)</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list
Mitigation:
Users of affected versions should apply one of the following mitigations
– – Tomcat 7.0.0 to 7.0.4
– Remove the Manager application
– Remove the sessionList.jsp and sessionDetail.jsp files
– Ensure the CSRF protection is enabled
– Apply the patch 7.0.4 patch (see below)
– Update to 7.0.5 when released
– – Tomcat 6.0.12 to 6.0.29
– Remove the Manager application
– Remove the sessionList.jsp and sessionDetail.jsp files
– Apply the patch for 6.0.29 (see below)
– Update to 6.0.30 when released
No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x releases.
Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
Note: The patches
The Apache Tomcat Security Team
룰은 다음과 같겠다..
alert tcp any any -> any $HTTP_PORT (uricontent:”/manager/html/sessions|3f|”; uricontent:”|3c|script|3e|”;)
URI부분에 다있어야 하니 uricontent를 사용하고 nocase는 기본이니 위처럼.
단 script앞뒤로 공백이 들어가면 미탐할수있을것.
pcre를 이용해서 URI부분에서만 위들을 탐지하게끔 하면될듯.
About this entry
You’re currently reading “Apache Tomcat Manager application XSS vulnerability detection rule – CVE-2010-4172,” an entry on Snort rules
- 게시일:
- 11월 23, 2010 / 9:23 오전
- 카테고리:
- Rule Create
- 태그:
No comments yet
Jump to comment form | comment rss [?] | trackback uri [?]