Re: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread David Rees
Anyone know how serious this is? It also appears to affect Tomcat 4.1.27 when using mod_jk as well. Below is a sample trace of a HTTP session. -Dave telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /666%0a%0ascriptalert(asdf);/script666.jsp

RE: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Shapira, Yoav
Message- From: David Rees [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 2:41 PM To: Tomcat Developers List Subject: Re: Jakarta Tomcat 4.1 XSS vulnerability Anyone know how serious this is? It also appears to affect Tomcat 4.1.27 when using mod_jk as well. Below is a sample trace

RE: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread David Rees
On Mon, September 29, 2003 1at 1:57 am, Shapira, Yoav sent the following I'm not a big security buff, but three things come to mind: - The original post with the exploit is more than a year old, yet we haven't heard anything about this actually used maliciously -- how come? Can't answer this

Re: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Bill Barker
:57 AM Subject: RE: Jakarta Tomcat 4.1 XSS vulnerability Howdy, I'm not a big security buff, but three things come to mind: - The original post with the exploit is more than a year old, yet we haven't heard anything about this actually used maliciously -- how come? - Is it really a vulnerability

Re: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread David Rees
On Mon, September 29, 2003 1at 2:32 pm, Bill Barker sent the following Remy has already patched the HTTP Connector for this one (both Tomcat 45). I believe that the patch still needs to be ported to the JK2 Connector. Thanks for the update, Bill. Hope to see Tomcat 4.1.28 out soon, look like

RE: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Shapira, Yoav
Howdy, This is interesting, hopefully you won't mind educating me a bit further... - Is it really a vulnerability? What can you get from this exploit? You can hijack the user's session or steal information from a user's cookie pretty easily with a XSS flaw such as this one. How would you

RE: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Chad Johnson
. -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 2:34 PM To: Tomcat Developers List Subject: RE: Jakarta Tomcat 4.1 XSS vulnerability Howdy, This is interesting, hopefully you won't mind educating me a bit further... - Is it really

RE: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread David Rees
On Mon, September 29, 2003 1at 2:34 pm, Shapira, Yoav sent the following Howdy, This is interesting, hopefully you won't mind educating me a bit further... Not at all, but keep in mind I haven't studied all that much myself... ;-) - Is it really a vulnerability? What can you get from this

RE: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Shapira, Yoav
Howdy, OK, makes sense. Thanks for the examples! Yoav Shapira Millennium ChemInformatics -Original Message- From: David Rees [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 3:50 PM To: Tomcat Developers List Subject: RE: Jakarta Tomcat 4.1 XSS vulnerability On Mon

Re: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Remy Maucherat
David Rees wrote: Anyone know how serious this is? Lol. If you're affected by XSS, then you have a problem (no site in the world deserves any privilege: *all* need javascript blocking these days). It also appears to affect Tomcat 4.1.27 when using mod_jk as well. Below is a sample trace of a

Re: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Bill Barker
- Original Message - From: David Rees [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Monday, September 29, 2003 12:33 PM Subject: Re: Jakarta Tomcat 4.1 XSS vulnerability On Mon, September 29, 2003 1at 2:32 pm, Bill Barker sent the following Remy has already

Re: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Tim Funk
Actually this could be issue on a poorly configured site where the admin does not override the default error pages. It would make it very easy to steal someone's cookies or session. So while might be an issue (I personally haven't checked), its not an issue if the admin configures custom error

RE: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread David Rees
On Mon, September 29, 2003 1at 2:49 pm, Shapira, Yoav sent the following Howdy, OK, makes sense. Thanks for the examples! Glad I could help. Hopefully you (and others) can use this information while designing web applications to avoid similar XSS issues in the future even if they are

Re: Jakarta Tomcat 4.1 XSS vulnerability

2003-09-29 Thread Jeff Tulley
I've found a very good explanation of XSS: http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 9/29/03 2:26:54 PM Actually this

Jakarta Tomcat 4.1 XSS vulnerability

2003-09-28 Thread Kan Ogawa
Hi, Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was reported last year, is not yet resolved. http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0 I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1 connector.