XSS issues have been reported in:
- the servlet 2.3 examples (including snoop.jsp)
- the manager servlet
- the servlet 2.4 examples (affects TC5 only)
All of these have been fixed in CVS.
Fixes for these are included in Tomcat 5.5.7 onwards.
Tomcat 4.1.31 still has the following XSS issues
I notice the more... at the end of that... do you have the more by chance?
Cross-site scripting (CSS) vulnerabilities are, generally-speaking,
concerned with situations where a server-side process generates HTML
dynamically and there is a possibility of input data that has not been
scrubed of
Shapira, Yoav wrote:
Howdy,
Fixed in the latest stable releases, upgrade and test for yourself.
Yoav Shapira
Millennium Research Informatics
-Original Message-
From: Rui Lopes [mailto:[EMAIL PROTECTED]
Sent: Monday, April 05, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: Cross-site
Howdy,
Fixed in the latest stable releases, upgrade and test for yourself.
Yoav Shapira
Millennium Research Informatics
-Original Message-
From: Rui Lopes [mailto:[EMAIL PROTECTED]
Sent: Monday, April 05, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: Cross-site scripting vulnerability
I have this mostly fixed in my local source for Tomcat 3.3.2,
but have not yet committed the changes to CVS. The changes
will be present when Tomcat 3.3.2 releases.
Note that the security vulnerability is not in the server
itself, but in the examples webapp and the SnoopServlet
in the ROOT
