Apache Tomcat versions 4.0.0 to 4.0.6, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, and 6.0.0 to 6.0.13 suffer from a cross site scripting flaw in their JSP examples.
a6c3ae6ce4360fc4d056e2d6c0d8f910d71d7afb1587a7db9a0a2d4f30cc120a-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-2449: Apache Tomcat XSS vulnerabilities in the JSP examples
Severity: low (cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.0.0 to 4.0.6
Tomcat 4.1.0 to 4.1.36
Tomcat 5.0.0 to 5.0.30
Tomcat 5.5.0 to 5.5.24
Tomcat 6.0.0 to 6.0.13
Description:
The JSP examples web application displays does not escape some user
provided data before including it in the output. This enables a XSS
attack.
Mitigation:
1. Undeploy the examples web application(s).
Example:
http://host:port/jsp-examples/snp/snoop.jsp;<script>alert()</script>test.jsp
Credit:
These issues were discovered by an unknown security researcher and
reported to JPCERT.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGcKbJb7IeiTPGAkMRAi9BAKDsuoomGh2n9BYl7mT/tGEjQ+HIlQCdHjnU
zdreMwViLR/bDBnys5YkhPk=
=SK7+
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed