svn commit: r558396 - in /tomcat/site/trunk: docs/security-4.html xdocs/security-4.xml

[markt]

Author: markt
Date: Sat Jul 21 16:49:16 2007
New Revision: 558396

URL: http://svn.apache.org/viewvc?view=rev&rev=558396
Log:
Add information for CVE-2007-3383

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/xdocs/security-4.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=558396&r1=558395&r2=558396
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Sat Jul 21 16:49:16 2007
@@ -317,6 +317,21 @@
 
     <p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
 
+    <p>
+<strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3383";>
+       CVE-2007-3383</a>
+</p>
+
+    <p>When reporting error messages, the SendMailServlet (part of the examples
+       web application) did not escape user provided data before including it 
in
+       the output. This enabled a XSS attack. This Servlet now filters the data
+       before use. This issue may be mitigated by undeploying the examples web
+       application. Note that it is recommended that the examples web
+       application is not installed on a production system.
+       </p>
+
+    <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.36</p>
   </blockquote>
 </p>
 </td>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=558396&r1=558395&r2=558396
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Sat Jul 21 16:49:16 2007
@@ -90,6 +90,19 @@
 
     <p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
 
+    <p><strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3383";>
+       CVE-2007-3383</a></p>
+
+    <p>When reporting error messages, the SendMailServlet (part of the examples
+       web application) did not escape user provided data before including it 
in
+       the output. This enabled a XSS attack. This Servlet now filters the data
+       before use. This issue may be mitigated by undeploying the examples web
+       application. Note that it is recommended that the examples web
+       application is not installed on a production system.
+       </p>
+
+    <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.36</p>
   </section>
 
   <section name="Fixed in Apache Tomcat 4.1.36">



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]