I found a cross-site scripting vulnerability in Tomcat 3.2.1.
Accessing the following URL, the JavaScript code will be executed by
the browser on the server's domain.
http://any-server-Tomcat-running-on/jsp-mapped-dir/SCRIPTalert(document.cookie)/SCRIPT.jsp
This vulnerability is quite similar
Arieh,
From: Arieh Markel [EMAIL PROTECTED]
Subject: Question - Re: cvs commit: DefaultCMSetter.java
Date: Fri, 16 Mar 2001 17:34:30 -0700 (MST)
Message-ID: [EMAIL PROTECTED]
Shouldn't the charset be according to the Locale and Charset of the
request that was passed ?
I think there are three
It looks like the
tester webapp in tomcat 4 was broken with last nights servlet api
changes?
Searching for
build.xml ...Buildfile:
C:\Build\Tomcat-4\jakarta-tomcat-4.0-base\tester\build.xml
build-prepare:
build-static:
build-main: [javac] Compiling 1 source file to
arieh 01/03/16 15:39:52
Modified:src/share/org/apache/tomcat/util Tag: tomcat_32
FileUtil.java
Log:
Add support for docbase localized lookups.
Revision ChangesPath
No revision
No revision
arieh 01/03/16 15:42:00
Modified:src/share/org/apache/tomcat/request Tag: tomcat_32
StaticInterceptor.java
Log:
Add support for docbase localization lookup.
Revision ChangesPath
No revision
No
arieh 01/03/16 15:43:56
Modified:src/share/org/apache/tomcat/core Tag: tomcat_32 Context.java
Log:
Add support for 'docbase' localization lookup to the getRealPath() method.
Preserve backwards compatibility on the getRealPath(path, loc, loc) call.
Revision ChangesPath
I'm trying to get catalina working with Apache 1.3.19 on Linux, but for I've
got something misconfigured. It cannot find my 'pub' webapp based on this
error: Application pub with path /pub/ not found
Here's how it's defined in server.xml:
!-- Define an Apache-Connector Service --
Service
changed setFilter to init, removed getFilter and added an [empty] destroy()
This electronic mail transmission
may contain confidential information and is intended only for the person(s)
named. Any use, copying or disclosure by any other person is strictly
prohibited. If you have received this
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Well, maybe a better place to meet would be tomcat-dev, isn't it ?
I'm sure Dan Milstein would enjoy a French vacation ( I would ), but
so far mod_jk was developed by a larger group on tomcat-dev. Dan and Henri
are doing most of the work
Dan Milstein [EMAIL PROTECTED] wrote:
It would be nice to have this dicussion on tomcat-dev. I do think I have a
useful understanding of mod_jk to offer, but I'm not going to be in France
(and I'm not on the private thread)...
Not that we have to have that conversation now, but I would
David Abrams [EMAIL PROTECTED] wrote:
Hey,
Check out:
http://www.truelook.com
It is running off Tomcat, Apache, Cocoon!
We're using Ant for builds too.
Take Care,
David Abrams
Director of Technology
Perceptual Robotics, Inc.
That is _way_cool_... Thank you for notifying us...
On Sat, 17 Mar 2001, Steve Downey wrote:
It looks like the tester webapp in tomcat 4 was broken with last nights
servlet api changes?
Yep. Will fix that today.
Craig
On Fri, Mar 16, 2001 at 11:42:00PM -, [EMAIL PROTECTED] wrote:
arieh 01/03/16 15:42:00
Modified:src/share/org/apache/tomcat/request Tag: tomcat_32
StaticInterceptor.java
Log:
Add support for docbase localization lookup.
Maybe I'm missing
Note, we're webcasting NBA Finals, PGA Masters,
World Series, Oscars, Grammies, etc.
We should be a good test for scalability.
:)
Keep those bug fixes comming!
David
-Original Message-
From: Pier P. Fumagalli [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 17, 2001 12:21 PM
craigmcc01/03/17 10:50:33
Modified:tester/src/tester/org/apache/tester WrapperFilter.java
Log:
Adapt to the changes to the Filter API.
Revision ChangesPath
1.3 +23 -26
jakarta-tomcat-4.0/tester/src/tester/org/apache/tester/WrapperFilter.java
Index:
craigmcc01/03/17 11:46:42
Modified:catalina/src/share/org/apache/catalina/core Constants.java
StandardWrapper.java
Log:
Modify the special case treatment of loading the Jasper servlet so that it
works when you use jsp-file declarations in web.xml, as well
craigmcc01/03/17 11:48:22
Modified:tester/src/bin tester.xml
tester/web/WEB-INF web.xml
Added: tester/web Xerces00.jsp Xerces02.jsp
Log:
Add some additional tests to access JSP pages both before and after a
servlet that uses Xerces itself.
Revision
on 3/17/01 12:07 PM, "[EMAIL PROTECTED]" [EMAIL PROTECTED] wrote:
+private String filter(String message) {
Not sure if you have to do this for private methods, but you might want to
make that final in order to make sure that the JVM inlines the method.
stupid question of the day
Also,
On Sat, 17 Mar 2001, Jon Stevens wrote:
on 3/17/01 12:07 PM, "[EMAIL PROTECTED]" [EMAIL PROTECTED] wrote:
+private String filter(String message) {
Not sure if you have to do this for private methods, but you might want to
make that final in order to make sure that the JVM inlines
craigmcc01/03/17 12:52:50
Modified:src/share/org/apache/tomcat/context Tag: tomcat_32
DefaultCMSetter.java
src/share/org/apache/tomcat/util Tag: tomcat_32
RequestUtil.java
Log:
For Tomcat 3.2, fix the security
I just submitted a bug for it that describes how to reproduce it:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=1006
Tal
You can prove that it is not related to JSP by trying *any* URI that
includes JavaScript code, and triggers a 404, such as:
http://localhost:8080/examples/SCRIPTalert(document.cookie)/SCRIPT.xyz
The fix is to filter the message string included in the response, so
that
characters
On Sat, 17 Mar 2001, Remy Maucherat wrote:
You can prove that it is not related to JSP by trying *any* URI that
includes JavaScript code, and triggers a 404, such as:
http://localhost:8080/examples/SCRIPTalert(document.cookie)/SCRIPT.xyz
The fix is to filter the message
On Sat, 17 Mar 2001, Remy Maucherat wrote:
You can prove that it is not related to JSP by trying *any* URI that
includes JavaScript code, and triggers a 404, such as:
http://localhost:8080/examples/SCRIPTalert(document.cookie)/SCRIPT.xyz
The fix is to filter the
On Windows 2000 I'm
getting failures on tester:
FAIL [GET
/examples/..] java.io.FileNotFoundException: http://localhost:8080/examples/..
FAIL [GET
/tester/Session03] Expected data 'Session03 PASSED', got data 'Session03 FAILED
- No existing session 43687632F49215A2A42615B6D472'
FAIL
Let me correct this bug report - it looks like something broke between
3.3 m1 and 3.3 m2.
Authentication always brings up a "Basic" Authentication form,
regardless of my authentication method
specified.
My first guess is that the bug was introduced in
AccessInterceptor.java. Looking at the
On Sat, 17 Mar 2001, Steve Downey wrote:
On Windows 2000 I'm getting failures on tester:
FAIL [GET /examples/..] java.io.FileNotFoundException:
http://localhost:8080/examples/ http://localhost:8080/examples/ ..
This is a Tomcat 4.0 bug (Windows-specific). It works (at least for
me) on
Here's a patch to fix the jikes compiler code in Jasper - against tomcat 3.3 m2
It looks like there is something OS specific in the original code. Its not clear to
me that my fix
would work under all platforms. I'll leave that to greater minds.
It looks like under some OS, extra quotes are
craigmcc01/03/17 21:32:13
Modified:catalina/src/share/org/apache/catalina/core
LocalStrings.properties StandardContext.java
StandardWrapper.java
jasper/src/share/org/apache/jasper/compiler
craigmcc01/03/17 22:12:55
Modified:tester/src/tester/org/apache/tester ErrorPage02.java
ErrorPage04.java
Log:
Make sure that the servlet name gets passed to error pages, along with the
other specified attributes, per the recent servlet API changes.
remm01/03/17 22:36:14
Modified:catalina/src/share/org/apache/catalina/servlets
DefaultServlet.java
Log:
- Changes most of the methods in DefaultServlet from private to protected,
so that it's easier to extend its functionality.
The patch is big,
Ok, here's the patch. The attached files apply to tc 3.3. They
allow tag handler pooling per the jsp spec. The files come with
a few questions and comments.
Patch info:
--
TagPoolManagerInterceptor.java should be placed in
src/facade22/org/apache/tomcat/facade
TagPoolManager.java
32 matches
Mail list logo
