4.3
MEDIUM

CVE-2008-1947

Published: 04/06/2008 Updated: 11/10/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

Vulnerability Summary

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

Apache Tomcat and HP HP-UX Tomcat-based Servlet Engine contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser session.
The vulnerability is due to an input sanitization error by the Host Manager application.  An unauthenticated, remote attacker could exploit the vulnerability by convincing a user who is logged in to Host Manager to follow a crafted link that is designed to pass malicious HTML and script code to the targeted server.  The crafted link could allow the attacker to execute malicious HTML or script code in the user's browser session in the security context of the site.
Sufficient information to reliably exploit the vulnerability is publicly available.
Apache and HP confirmed the vulnerability in security announcement and released updated software.

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Affected Products

Vendor Product Versions
ApacheTomcat5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 5.5.21, 5.5.22, 5.5.23, 5.5.24, 5.5.25, 5.5.26, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16

Mitigation

Administrators are advised to apply the appropriate updates.
Administrators may consider using a filtering proxy or firewall to remove malicious characters and character sequences.
Users are advised not to follow links from untrusted sources.
Users are advised to log out of the Host Manager when they are not actively performing an administrative function.

Exploitation

The vulnerability affects only users who are currently authenticated to the Host Manager application, significantly reducing the attack surface of the vulnerability.  Users can mitigate the vulnerability by logging out of the Host Manager when it is not in use and by not visiting sites that are directly related to the current administration task while they are authenticated to Host Manager.

Mailing Lists

References

CWE-79http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://marc.info/?l=bugtraq&m=123376588623823&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://marc.info/?l=tomcat-user&m=121244319501278&w=2http://secunia.com/advisories/30500http://secunia.com/advisories/30592http://secunia.com/advisories/30967http://secunia.com/advisories/31639http://secunia.com/advisories/31865http://secunia.com/advisories/31891http://secunia.com/advisories/32120http://secunia.com/advisories/32222http://secunia.com/advisories/32266http://secunia.com/advisories/33797http://secunia.com/advisories/33999http://secunia.com/advisories/34013http://secunia.com/advisories/37460http://secunia.com/advisories/57126http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2008/dsa-1593http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0648.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0864.htmlhttp://www.securityfocus.com/archive/1/492958/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/29502http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020624http://www.vmware.com/security/advisories/VMSA-2009-0002.htmlhttp://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2008/1725http://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2009/0320http://www.vupen.com/english/advisories/2009/0503http://www.vupen.com/english/advisories/2009/3316https://exchange.xforce.ibmcloud.com/vulnerabilities/42816https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html