1. Introduction
The Apache Tomcat snoop.jsp URI XSS vulnerability allows a remote attacker to inject malicious script into a web application via an unsanitized input field within the ‘snoop.jsp’ example application. This can lead to session hijacking, defacement of websites or redirection to malicious sites. Systems running vulnerable versions of Apache Tomcat are affected. A successful exploit could compromise confidentiality, integrity and availability of the affected site.
2. Technical Explanation
- Exploit mechanism: An attacker crafts a malicious URL containing JavaScript code, which is then executed when a user visits the page. For example, an attacker could use a URL like
http://example.com/examples/jsp/snoop.jsp?name=. - Scope: Apache Tomcat web servers with the examples web application deployed are affected.
3. Detection and Assessment
To confirm if a system is vulnerable, check for the presence of the ‘snoop.jsp’ application and test its input handling. A thorough method involves attempting to inject XSS payloads.
- Quick checks: Verify that the Tomcat examples web application is deployed by browsing to
http://your-tomcat-server/examples/jsp/snoop.jsp. - Scanning: Nessus vulnerability ID 31847 can detect this issue. This is an example only, and may require updates.
- Logs and evidence: Examine Tomcat access logs for requests to ‘snoop.jsp’ with suspicious parameters.
# No specific command available - check web application availability via browser.4. Solution / Remediation Steps
The recommended solution is to remove the vulnerable examples web application from your Tomcat deployment.
4.1 Preparation
- Ensure you have access to the Tomcat server’s file system and administration interface. A roll back plan is to redeploy the examples web application, if needed.
- A change window may be required depending on your environment and risk tolerance.
4.2 Implementation
- Step 1: Stop the Tomcat service.
- Step 2: Delete the ‘examples’ web application directory from the Tomcat ‘webapps’ directory. The path will vary based on installation, but is typically
/opt/tomcat/webapps/examplesor similar. - Step 3: Start the Tomcat service.
4.3 Config or Code Example
No configuration change is needed; this fix involves removing a web application.
Before
/opt/tomcat/webapps/examples directory existsAfter
/opt/tomcat/webapps/examples directory does not exist.4.4 Security Practices Relevant to This Vulnerability
- Least privilege: Limit the permissions of web applications to reduce the impact if they are compromised.
4.5 Automation (Optional)
No automation is provided as this fix involves removing a directory.
5. Verification / Validation
- Post-fix check: Attempting to access
http://your-tomcat-server/examples/jsp/snoop.jspshould result in a 404 Not Found error. - Re-test: Verify that the vulnerability scanner no longer reports the issue.
- Smoke test: Ensure other web applications on the Tomcat server are functioning correctly.
- Monitoring: Monitor Tomcat access logs for any unexpected errors or requests to ‘snoop.jsp’.
# Attempting to access http://your-tomcat-server/examples/jsp/snoop.jsp should return a 404 error.6. Preventive Measures and Monitoring
- Baselines: Implement security baselines that require disabling or removing unnecessary example applications.
- Pipelines: Integrate static analysis tools into your CI/CD pipeline to identify potential XSS vulnerabilities in web application code.
- Asset and patch process: Regularly review deployed assets for unnecessary components and apply security patches promptly.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Removing the examples web application may affect any custom applications that depend on it (unlikely).
- Risk or side effect 2: No other known risks.
- Roll back: Redeploy the ‘examples’ web application directory to the Tomcat ‘webapps’ directory and restart the service.
8. References and Resources
- Vendor advisory or bulletin: https://seclists.org/bugtraq/2007/Jun/182
- NVD or CVE entry: CVE-2007-2449
- Product or platform documentation relevant to the fix: No specific documentation available.