So while might be an issue (I personally haven't checked), its not an issue if the admin configures custom error pages to show instead of displaying the default.
-Tim
Remy Maucherat wrote:
David Rees wrote:
Anyone know how serious this is?
Lol.
If you're affected by XSS, then you have a problem (no site in the world deserves any privilege: *all* need javascript blocking these days).
It also appears to affect Tomcat 4.1.27 when using mod_jk as well. Below is a sample trace of a HTTP session.
Remy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
