Ladies and Gentlemen:

One of our customers did a security audit on the Tomcat server we maintain on their system, and it found a few issues:

First, it found a cross-site scripting vulnerability.

Second, it found the HTTP DELETE method enabled.

Third, it found a click-jacking vulnerability.

Fourth, it found the HTTP OPTIONS method enabled.

Back in October, the click-jacking vulnerability came up on another customer box; I've found the thread, and just now set up the filter and filter-mapping in conf/web.xml, so that is hopefully taken care of in the next restart.

But I have no idea what to do about the cross-site scripting vulnerability, or the DELETE and OPTIONS methods, and I'm having trouble understanding the materials I've found.


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to