Cross-site Scripting
Updated 1/23/03
Impact
A malicious web site could cause arbitrary commands to run
on a client through a specially crafted link to the vulnerable server.
Background
Many web sites include scripts, which are lists of
commands which, when executed in sequence, provide some
enhancement to a web page. Web browsers are able to
recognize scripts in web pages by the <SCRIPT>
tag and handle them accordingly.
The Problem
Several types of web servers and CGI programs include the user's request in their
response. For example, a request for the page http://server/nonexistent_page.html
may cause server to respond:
The page nonexistent_page.html does not
exist on this server.
By sending an HTTP request containing SCRIPT
tags to such a web server, it is possible to
cause the web server to return a page containing arbitrary commands
which are run by the client. While it is unlikely that
a user would deliberately send a request which would cause
this to happen, a user could be tricked into doing so by
following a specially-crafted link on another web server.
This vulnerability is known as cross-site scripting.
A web server which is vulnerable to cross-site scripting
could be exploited by a malicious web site to trick an
unsuspecting user into executing arbitrary commands on
his or her own computer.
Other related CVE entries:
CVE 2001-0658 Microsoft ISA Server 2000
CAN 2001-0824 IBM WebSphere
CVE 2001-0828 Caucho Technology Resin
CAN 2001-0829 Apache Tomcat
CAN 2001-0991 Proxomitron Naoko-4
CVE 2001-1084 Allaire JRun
CVE 2001-1121 Allaire JRun
CVE 2001-1161 Lotus Domino
CAN 2002-0326 BadBlue
CAN 2002-0530 Novell Web Search 2.0.1
CAN 2002-0682 Apache Tomcat
CVE 2002-0733 THTTPD Server
CAN 2002-1445 CERN Proxy Server
CAN 2002-1497 Null httpd
CAN 2003-0002 Microsoft Content Management Server 2001
Resolution
Cross-site scripting can be fixed either by creating a customized
error page which does not display the URI, or by applying
one of the following fixes:
- Lotus Domino: Upgrade to version 5.0.9 when
it becomes available.
- Microsoft ISA 2000: Refer to
Microsoft Security Bulletin 01-045.
- NetWare Web Search:
(4/19/02)
Apply NetWare 6 Service Pack 1.
- ColdFusion MX:
(6/25/02)
Apply the patch referenced in
Macromedia
Security Bulletin 02-03.
- Apache Tomcat:
(7/12/02)
Upgrade to version 4.1.4 or higher, and unmap the
"invoker" servlet (mapped to /servlet/), which executes anonymous servlet
classes that have not been defined in a web.xml file.
The entry for this can be found in the /<tomcat-install-dir>/conf/web.xml file.
- Apache printenv program
(12/30/02)
Remove the cgi-bin/printenv program. Although
this program outputs the text/plain MIME type
which shouldn't be susceptible to cross-site scripting, some
browsers do not correctly handle this type and would therefore
be vulnerable.
- Microsoft Content Management Server 2001
(1/23/03)
Apply the cumulative patch referenced in
Microsoft Security Bulletin 03-002, or
apply Microsoft Content Management Server 2001 Service Pack 2
if available.
- All other products: Retrieve an upgrade or a patch from the vendor. See the posting to
Bugtraq
for information about specific types of web servers.
If a fix is unavailable, then work around the problem by
creating a customized error page.
Where can I read more about this?
For more information on cross-site scripting, and, more
generally, on
malicious HTML tags embedded in client
requests, see CERT Advisory
2000-02 and Microsoft's
Information
on Cross-Site Scripting.
The vulnerability in NetWare Web Search was reported in
Cgi Security Advisory #9.
The vulnerability in Apache printenv was
reported in Bugtraq postings
304324 and
304344.
The vulnerability in Microsoft Content Management Server 2001
was reported in
Microsoft Security Bulletin 03-002 and
Bugtraq.