Apache Tomcat Manager application XSS vulnerability detection rule – CVE-2010-4172

아래가 취약점 관련 내용이다.

CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

Severity: Tomcat 7.0.x – Low, Tomcat 6.0.x – Moderate

Vendor: The Apache Software Foundation

Versions Affected:

– – Tomcat 7.0.0 to 7.0.4

  – Not affected in default configuration.

  – Affected if CSRF protection is disabled

  – Additional XSS issues if web applications are untrusted

– – Tomcat 6.0.12 to 6.0.29

  – Affected in default configuration

  – Additional XSS issues if web applications are untrusted

– – Tomcat 5.5.x

  – Not affected

Description:

The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack.

Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.

A review of the Manager application by the Apache Tomcat security team identified additional XSS vulnerabilities if the web applications deployed were not trusted.

Example:

GET /manager/html/sessions?path=/&sort=”><script>alert(‘xss’)</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list

Mitigation:

Users of affected versions should apply one of the following mitigations

– – Tomcat 7.0.0 to 7.0.4

  – Remove the Manager application

  – Remove the sessionList.jsp and sessionDetail.jsp files

  – Ensure the CSRF protection is enabled

  – Apply the patch 7.0.4 patch (see below)

  – Update to 7.0.5 when released

– – Tomcat 6.0.12 to 6.0.29

  – Remove the Manager application

  – Remove the sessionList.jsp and sessionDetail.jsp files

  – Apply the patch for 6.0.29 (see below)

  – Update to 6.0.30 when released

No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x releases.

Credit:

The original issue was discovered by Adam Muntner of Gotham Digital Science.

Additional issues were identified by the Tomcat security team as a result of reviewing the original issue.

References:

http://tomcat.apache.org/security.html

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-6.html

Note: The patches

The Apache Tomcat Security Team

룰은 다음과 같겠다..

alert tcp any any -> any $HTTP_PORT (uricontent:”/manager/html/sessions|3f|”; uricontent:”|3c|script|3e|”;)

URI부분에 다있어야 하니 uricontent를 사용하고 nocase는 기본이니 위처럼.

단 script앞뒤로 공백이 들어가면 미탐할수있을것.

pcre를 이용해서 URI부분에서만 위들을 탐지하게끔 하면될듯.

Advertisements