安全研究
安全漏洞
Apache Tomcat Cal2.JSP跨站脚本漏洞
发布日期:2007-09-04
更新日期:2009-01-28
受影响系统:
Apache Group Tomcat 5.5.0-5.5.15描述:
Apache Group Tomcat 5.0.0-5.0.30
Apache Group Tomcat 4.1.0-4.1.31
Apache Group Tomcat 4.0.0-4.0.6
BUGTRAQ ID: 25531
CVE(CAN) ID: CVE-2006-7196,CVE-2007-4724
Apache Tomcat是一个流行的开源JSP应用服务器程序。
Apache Tomcat 4.0.0-4.0.6、4.1.0-4.1.31、5.0.0-5.0.30、5.5.0-5.5.15 的日历应用示例中存在XSS漏洞,远程攻击者通过向cal2.jsp传递time参数,利用此漏洞可注入任意Web脚本或HTML。
<*来源:Tushar Vartak
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
建议:
厂商补丁:
Apache Group
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Apache Software Foundation Tomcat 4.1
Apache Software Foundation v4.1.32
http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.32/
Apache Software Foundation Tomcat 4.1.12
Apache Software Foundation v4.1.32
http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.32/
Apache Software Foundation Tomcat 4.1.3 beta
Apache Software Foundation v4.1.32
http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.32/
Apache Software Foundation Tomcat 4.1.31
Apache Software Foundation v4.1.32
http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.32/
Apache Software Foundation Tomcat 5.5
Apache Software Foundation v5.5.16
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.16/
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation v5.5.16
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.16/
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation v5.5.16
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.16/
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation v5.5.16
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.16/
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation v5.5.16
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.16/
Apache Software Foundation Tomcat 5.5.13
Apache Software Foundation v5.5.16
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.16/
浏览次数:5394
严重程度:0(网友投票)
绿盟科技给您安全的保障