Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:0897 advisory.

  - tomcat: information disclosure in authentication headers (CVE-2010-1157)

  - httpd mod_cache, mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path     segments (CVE-2010-1452)

  - apr-util: high memory consumption in apr_brigade_split_line() (CVE-2010-1623)

  - tomcat: file permission bypass flaw (CVE-2010-3718)

  - tomcat: cross-site-scripting vulnerability in the manager application (CVE-2010-4172)

  - tomcat: XSS vulnerability in HTML Manager interface (CVE-2011-0013)

  - apr: unconstrained recursion in apr_fnmatch (CVE-2011-0419)

  - httpd: mod_proxy_ajp worker moved to error state when timeout exceeded (CVE-2012-4557)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0791 advisory.

    - CVE-2010-4172, CVE-2010-3718, CVE-2011-0013, CVE-2010-4476,
    - CVE-2011-0534
    - CVE-2010-4172, CVE-2011-0013, CVE-2010-3718 commented out

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update fixes a cross-site scripting vulnerability that affects the session list screen. This can be used to steal session cookies because tomcat 6 does not use the httpOnly flag for its cookies.
(CVE-2010-4172)

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system.
(CVE-2010-3718)

A cross-site scripting (XSS) flaw was found in the Manager application, used for managing web applications on Tomcat. If a remote attacker could trick a user who is logged into the Manager application into visiting a specially crafted URL, the attacker could perform Manager application tasks with the privileges of the logged in user.
(CVE-2010-4172)

A second cross-site scripting (XSS) flaw was found in the Manager application. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with the privileges of victims who are logged into and viewing Manager application web pages. (CVE-2011-0013)

This update also fixes the following bugs :

  - A bug in the 'tomcat6' init script prevented additional     Tomcat instances from starting. As well, running     'service tomcat6 start' caused configuration options     applied from '/etc/sysconfig/tomcat6' to be overwritten     with those from '/etc/tomcat6/tomcat6.conf'. With this     update, multiple instances of Tomcat run as expected.
    (BZ#636997)

  - The '/usr/share/java/' directory was missing a symbolic     link to the '/usr/share/tomcat6/bin/tomcat-juli.jar'     library. Because this library was mandatory for certain     operations (such as running the Jasper JSP precompiler),     the 'build-jar-repository' command was unable to compose     a valid classpath. With this update, the missing     symbolic link has been added. (BZ#661244)

  - Previously, the 'tomcat6' init script failed to start     Tomcat with a 'This account is currently not available.'     message when Tomcat was configured to run under a user     that did not have a valid shell configured as a login     shell. This update modifies the init script to work     correctly regardless of the daemon user's login shell.
    Additionally, these new tomcat6 packages now set     '/sbin/nologin' as the login shell for the 'tomcat' user     upon installation, as recommended by deployment best     practices. (BZ#678671)

  - Some standard Tomcat directories were missing write     permissions for the 'tomcat' group, which could cause     certain applications to fail with errors such as 'No     output folder'. This update adds write permissions for     the 'tomcat' group to the affected directories.
    (BZ#643809)

  - The '/usr/sbin/tomcat6' wrapper script used a hard-coded     path to the 'catalina.out' file, which may have caused     problems (such as for logging init script output) if     Tomcat was being run with a user other than 'tomcat' and     with CATALINA_BASE set to a directory other than the     default. (BZ#695284, BZ#697504)

  - Stopping Tomcat could have resulted in traceback errors     being logged to 'catalina.out' when certain web     applications were deployed. (BZ#698624)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache Tomcat. Please       review the CVE identifiers referenced below for details.
  Impact :

    The vulnerabilities allow an attacker to cause a Denial of Service, to       hijack a session, to bypass authentication, to inject webscript, to       enumerate valid usernames, to read, modify and overwrite arbitrary files,       to bypass intended access restrictions, to delete work-directory files,       to discover the server&rsquo;s hostname or IP, to bypass read permissions for       files or HTTP headers, to read or write files outside of the intended       working directory, and to obtain sensitive information by reading a log       file.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2011-006 applied.  This update contains numerous security-related fixes for the following components :

  - Apache
  - Application Firewall
  - ATS
  - BIND
  - Certificate Trust Policy
  - CFNetwork
  - CoreFoundation
  - CoreMedia
  - File Systems
  - IOGraphics
  - iChat Server
  - Mailman
  - MediaKit
  - PHP
  - postfix
  - python
  - QuickTime
  - Tomcat
  - User Documentation
  - Web Server
  - X11

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:0791 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer     Pages (JSP) technologies.

    It was found that web applications could modify the location of the Tomcat     host's work directory. As web applications deployed on Tomcat have read and     write access to this directory, a malicious web application could use this     flaw to trick Tomcat into giving it read and write access to an arbitrary     directory on the file system. (CVE-2010-3718)

    A cross-site scripting (XSS) flaw was found in the Manager application,     used for managing web applications on Tomcat. If a remote attacker could     trick a user who is logged into the Manager application into visiting a     specially-crafted URL, the attacker could perform Manager application tasks     with the privileges of the logged in user. (CVE-2010-4172)

    A second cross-site scripting (XSS) flaw was found in the Manager     application. A malicious web application could use this flaw to conduct an     XSS attack, leading to arbitrary web script execution with the privileges     of victims who are logged into and viewing Manager application web pages.
    (CVE-2011-0013)

    This update also fixes the following bugs:

    * A bug in the tomcat6 init script prevented additional Tomcat instances     from starting. As well, running service tomcat6 start caused     configuration options applied from /etc/sysconfig/tomcat6 to be     overwritten with those from /etc/tomcat6/tomcat6.conf. With this update,     multiple instances of Tomcat run as expected. (BZ#636997)

    * The /usr/share/java/ directory was missing a symbolic link to the     /usr/share/tomcat6/bin/tomcat-juli.jar library. Because this library was     mandatory for certain operations (such as running the Jasper JSP     precompiler), the build-jar-repository command was unable to compose a     valid classpath. With this update, the missing symbolic link has been     added. (BZ#661244)

    * Previously, the tomcat6 init script failed to start Tomcat with a This     account is currently not available. message when Tomcat was configured to     run under a user that did not have a valid shell configured as a login     shell. This update modifies the init script to work correctly regardless of     the daemon user's login shell. Additionally, these new tomcat6 packages now     set /sbin/nologin as the login shell for the tomcat user upon     installation, as recommended by deployment best practices. (BZ#678671)

    * Some standard Tomcat directories were missing write permissions for the     tomcat group, which could cause certain applications to fail with errors     such as No output folder. This update adds write permissions for the     tomcat group to the affected directories. (BZ#643809)

    * The /usr/sbin/tomcat6 wrapper script used a hard-coded path to the     catalina.out file, which may have caused problems (such as for logging     init script output) if Tomcat was being run with a user other than tomcat     and with CATALINA_BASE set to a directory other than the default.
    (BZ#695284, BZ#697504)

    * Stopping Tomcat could have resulted in traceback errors being logged to     catalina.out when certain web applications were deployed. (BZ#698624)

    Users of Tomcat should upgrade to these updated packages, which contain     backported patches to correct these issues. Tomcat must be restarted for     this update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is prior to 6.0.30. It is, therefore, affected by multiple vulnerabilities :

  - An error in the access restriction on a 'ServletContext'     attribute that holds the location of the work directory     in Tomcat's SecurityManager. A malicious web application     can modify the location of the working directory which     then allows improper read and write access to arbitrary     files and directories in the context of Tomcat.
    (CVE-2010-3718)

  - An input validation error exists in the Manager     application in that it fails to filter the 'sort' and     'orderBy' input parameters. (CVE-2010-4172)

  - The default configuration does not include the HTTPOnly     flag in a Set-Cookie header, which makes it easier for     remote attackers to hijack a session via script access     to a cookie. (CVE-2010-4312)

  - An input validation error exists in the HTML manager     application in that it fails to filter various input     data before returning it to the browser. (CVE-2011-0013)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat listening on the remote host is 7.x prior to 7.0.5. It is, therefore, affected by multiple cross-site scripting vulnerabilities in the Tomcat Manager application's 'sessionList.jsp' file. The 'sort' and 'orderby' parameters are not properly sanitized before being returned to the user and can be used to inject arbitrary script into the user's browser.

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application's self-reported version number.

Also note, successful exploitation requires that the cross-site request forgery (CSRF) filter is disabled.

It was discovered that Tomcat did not properly escape certain parameters in the Manager application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Tomcat installed on the remote host is prior to 7.0.5. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_7.0.5_security-7 advisory.

  - Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12     through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via     the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp     or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
    (CVE-2010-4172)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193971	RHEL 5 / 6 : JBoss Enterprise Web Server 1.0.2 update (Moderate) (RHSA-2011:0897)	Nessus	Red Hat Local Security Checks	medium
181039	Oracle Linux 6 : tomcat6 (ELSA-2011-0791)	Nessus	Oracle Linux Local Security Checks	medium
75760	openSUSE Security Update : tomcat6 (openSUSE-SU-2011:0082-1)	Nessus	SuSE Local Security Checks	medium
61051	Scientific Linux Security Update : tomcat6 on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
59677	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
56481	Mac OS X Multiple Vulnerabilities (Security Update 2011-006)	Nessus	MacOS X Local Security Checks	critical
54601	RHEL 6 : tomcat6 (RHSA-2011:0791)	Nessus	Red Hat Local Security Checks	medium
53806	openSUSE Security Update : tomcat6 (openSUSE-SU-2011:0082-2)	Nessus	SuSE Local Security Checks	medium
53805	openSUSE Security Update : tomcat6 (openSUSE-SU-2011:0082-1)	Nessus	SuSE Local Security Checks	medium
51975	Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities	Nessus	Web Servers	medium
5793	Apache Tomcat 7.0.x < 7.0.5 Multiple XSS	Nessus Network Monitor	Web Servers	medium
51669	Ubuntu 9.10 / 10.04 LTS / 10.10 : tomcat6 vulnerability (USN-1048-1)	Nessus	Ubuntu Local Security Checks	medium
51526	Apache Tomcat 7.0.0 < 7.0.5	Nessus	Web Servers	medium

Detections

Analytics

CVE-2010-4172

medium

Tenable Plugins

medium

medium

medium

medium

medium

critical

medium

medium

medium

medium

medium

medium

medium