English | Deutsch | Español
 
Inicial ▼
Página inicial Acerca Nuestro Contáctenos Privacidad Programas de Asociados Testimonios En la Prensa Listas de Correos Abuso Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
 
Auditorias ▼
Inicial Dedicada Avanzada Estándar Periódica Sin Riesgo Escritorio Básica Sello FAQ Resumen de Precio/Funciones Ordenar Nuevas Pruebas Todas las Pruebas Confidencialidad Búsqueda de Vulnerabilidad Ejecutar Auditoría Programador IP Permissions Auditorías Personalizadas Cola Recordatorio Sellos Informes Estilos de Informes
DNS
Administrado ▼
Acerca de DNS Ordenar/Renovar Preguntas Frecuentes AUP Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password
Monitoreo
de Redes ▼
Enterprise Avanzado Estándarr Prueba Preguntas Frecuentes Resumen de Precio/Funciones Ordenar Muestras
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Iniciar sesión/Registrarse 
 
 Búsqueda de    
Vulnerabilidad   		     Buscar 324607 Descripciones CVE y
145615 Descripciones de Pruebas,
accesos 10,000+ referencias cruzadas.
Pruebas   CVE   Todos  

ID de Prueba:1.3.6.1.4.1.25623.1.0.58659
Categoría:Red Hat Local Security Checks
Título:RedHat Security Advisory RHSA-2007:0876
Resumen:NOSUMMARY
Descripción:Description:

The remote host is missing updates announced in
advisory RHSA-2007:0876.

Tomcat is a servlet container for Java Servlet and Java Server Pages
technologies.

Tomcat incorrectly handled Accept-Language headers that do not conform to
RFC 2616. An attacker was able to perform cross-site scripting (XSS)
attacks in certain applications (CVE-2007-1358).

Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).

Note: it is recommended the 'examples' web application not be installed on
a production system.

The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).

Tomcat was found treating single quote characters -- ' -- as delimiters in
cookies. This could allow remote attackers to obtain sensitive information,
such as session IDs, for session hijacking attacks (CVE-2007-3382).

It was reported Tomcat did not properly handle the following character
sequence in a cookie: \ (a backslash followed by a double-quote). It was
possible remote attackers could use this failure to obtain sensitive
information, such as session IDs, for session hijacking attacks
(CVE-2007-3385).

A cross-site scripting (XSS) vulnerability existed in the Host Manager
Servlet. This allowed remote attackers to inject arbitrary HTML and web
script via crafted requests (CVE-2007-3386).

Users of Tomcat should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2007-0876.html
http://tomcat.apache.org/security-5.html
http://www.redhat.com/security/updates/classification/#moderate

Risk factor : Medium

CVSS Score:
4.3

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2007-1358
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
BugTraq ID: 24524
http://www.securityfocus.com/bid/24524
BugTraq ID: 25159
http://www.securityfocus.com/bid/25159
Bugtraq: 20070618 [CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language header processing (Google Search)
http://www.securityfocus.com/archive/1/471719/100/0/threaded
Bugtraq: 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Google Search)
http://www.securityfocus.com/archive/1/500396/100/0/threaded
Bugtraq: 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) (Google Search)
http://www.securityfocus.com/archive/1/500412/100/0/threaded
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
HPdes Security Advisory: HPSBUX02262
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
HPdes Security Advisory: SSRT071447
http://jvn.jp/jp/JVN%2316535199/index.html
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
http://osvdb.org/34881
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679
http://www.redhat.com/support/errata/RHSA-2008-0261.html
RedHat Security Advisories: RHSA-2008:0630
http://rhn.redhat.com/errata/RHSA-2008-0630.html
http://www.securitytracker.com/id?1018269
http://secunia.com/advisories/25721
http://secunia.com/advisories/26235
http://secunia.com/advisories/26660
http://secunia.com/advisories/27037
http://secunia.com/advisories/27727
http://secunia.com/advisories/30899
http://secunia.com/advisories/30908
http://secunia.com/advisories/31493
http://secunia.com/advisories/33668
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
http://www.vupen.com/english/advisories/2007/1729
http://www.vupen.com/english/advisories/2007/2732
http://www.vupen.com/english/advisories/2007/3087
http://www.vupen.com/english/advisories/2007/3386
http://www.vupen.com/english/advisories/2008/1979/references
http://www.vupen.com/english/advisories/2009/0233
Common Vulnerability Exposure (CVE) ID: CVE-2007-2449
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
BugTraq ID: 24476
http://www.securityfocus.com/bid/24476
Bugtraq: 20070614 [CVE-2007-2449] Apache Tomcat XSS vulnerabilities in the JSP examples (Google Search)
http://www.securityfocus.com/archive/1/471351/100/0/threaded
http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
http://osvdb.org/36080
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10578
http://www.redhat.com/support/errata/RHSA-2007-0569.html
http://www.securitytracker.com/id?1018245
http://secunia.com/advisories/26076
http://secunia.com/advisories/29392
http://secunia.com/advisories/30802
http://securityreason.com/securityalert/2804
SuSE Security Announcement: SUSE-SR:2008:007 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html
SuSE Security Announcement: SUSE-SR:2009:004 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://www.vupen.com/english/advisories/2007/2213
http://www.vupen.com/english/advisories/2008/1981/references
XForce ISS Database: tomcat-example-xss(34869)
https://exchange.xforce.ibmcloud.com/vulnerabilities/34869
Common Vulnerability Exposure (CVE) ID: CVE-2007-2450
BugTraq ID: 24475
http://www.securityfocus.com/bid/24475
Bugtraq: 20070614 [CVE-2007-2450]: Apache Tomcat XSS vulnerability in Manager (Google Search)
http://www.securityfocus.com/archive/1/471357/100/0/threaded
Debian Security Information: DSA-1468 (Google Search)
http://www.debian.org/security/2008/dsa-1468
http://jvn.jp/jp/JVN%2307100457/index.html
http://www.osvdb.org/36079
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11287
http://secunia.com/advisories/25678
http://secunia.com/advisories/28549
http://securityreason.com/securityalert/2813
XForce ISS Database: tomcat-hostmanager-xss(34868)
https://exchange.xforce.ibmcloud.com/vulnerabilities/34868
Common Vulnerability Exposure (CVE) ID: CVE-2007-3382
AIX APAR: IZ55562
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562
BugTraq ID: 25316
http://www.securityfocus.com/bid/25316
Bugtraq: 20070814 CVE-2007-3382: Handling of cookies containing a ' character (Google Search)
http://www.securityfocus.com/archive/1/476442/100/0/threaded
Bugtraq: 20070814 Re: CVE-2007-3382: Handling of cookies containing a ' character (Google Search)
http://www.securityfocus.com/archive/1/476466/100/0/threaded
CERT/CC vulnerability note: VU#993544
http://www.kb.cert.org/vuls/id/993544
Debian Security Information: DSA-1447 (Google Search)
http://www.debian.org/security/2008/dsa-1447
Debian Security Information: DSA-1453 (Google Search)
http://www.debian.org/security/2008/dsa-1453
HPdes Security Advisory: HPSBTU02276
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
HPdes Security Advisory: SSRT071472
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269
http://www.redhat.com/support/errata/RHSA-2007-0871.html
http://www.redhat.com/support/errata/RHSA-2007-0950.html
http://www.redhat.com/support/errata/RHSA-2008-0195.html
http://securitytracker.com/id?1018556
http://secunia.com/advisories/26466
http://secunia.com/advisories/26898
http://secunia.com/advisories/27267
http://secunia.com/advisories/28317
http://secunia.com/advisories/28361
http://secunia.com/advisories/29242
http://secunia.com/advisories/36486
SuSE Security Announcement: SUSE-SR:2008:005 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
http://www.vupen.com/english/advisories/2007/2902
http://www.vupen.com/english/advisories/2007/3527
XForce ISS Database: tomcat-quotecookie-information-disclosure(36006)
https://exchange.xforce.ibmcloud.com/vulnerabilities/36006
Common Vulnerability Exposure (CVE) ID: CVE-2007-3385
Bugtraq: 20070814 CVE-2007-3385: Handling of \" in cookies (Google Search)
http://www.securityfocus.com/archive/1/476444/100/0/threaded
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9549
http://securitytracker.com/id?1018557
http://secunia.com/advisories/44183
http://securityreason.com/securityalert/3011
XForce ISS Database: tomcat-slashcookie-information-disclosure(35999)
https://exchange.xforce.ibmcloud.com/vulnerabilities/35999
Common Vulnerability Exposure (CVE) ID: CVE-2007-3386
BugTraq ID: 25314
http://www.securityfocus.com/bid/25314
Bugtraq: 20070814 CVE-2007-3386: XSS in Host Manager (Google Search)
http://www.securityfocus.com/archive/1/476448/100/0/threaded
http://jvn.jp/jp/JVN%2359851336/index.html
http://osvdb.org/36417
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10077
http://securitytracker.com/id?1018558
http://secunia.com/advisories/26465
http://securityreason.com/securityalert/3010
http://www.vupen.com/english/advisories/2007/2880
XForce ISS Database: tomcat-hostmanager-alias-xss(36001)
https://exchange.xforce.ibmcloud.com/vulnerabilities/36001
CopyrightCopyright (c) 2007 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.

Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.



© 1998-2025 E-Soft Inc. Todos los derechos reservados.