Hi Sullo, This is what I am putting in my browser.
http://www.xxxxx.com/a.jsp/<SCRIPT>alert(document.domain)</script> I am getting a page not found - or am I missing the point? Thanks for your help Kevin -----Original Message----- From: [EMAIL PROTECTED] [mailto:sullo@;cirt.net] Sent: 01 November 2002 14:21 To: Kevin Passey Cc: 'Nessus (E-mail) Subject: Re: Older versions of JServ - but I'm using Tomcat.4.0.4 You should be able to test if this is working or a false positive by putting the following request in your browser (that has JavaScript enabled). You should get a pop-up window. This is the same test that is happening in the plugin. /a.jsp/<SCRIPT>alert(document.domain)</script> -Sullo Quoting Kevin Passey <[EMAIL PROTECTED]>: > Hi again, > > This is confusing me : I have one hole that I need to close. > > I am getting a medium risk hole which I don't understand. > > I have a Tomcat 4.0.4 web server running on port 80. > > Nessus is telling me "Older versions of JServ are venerable to a cross site > scripting attack using a request for a non-existent .jsp file. Upgrade to > the latest version of JServ or, for preference use Tomcat, as JServ is no > longer maintained" > > But I am using Tomcat - do I need to upgrade it further - or is this a false > positive? > > Thanks in advance. > > Kevin > - > [EMAIL PROTECTED]: general discussions about Nessus. > * To unsubscribe, send a mail to [EMAIL PROTECTED] with > "unsubscribe nessus" in the body. > - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
