So, it was a hoax? :-) Leon
On Wed, Jul 22, 2009 at 3:30 PM, Konstantin Kolinko<knst.koli...@gmail.com> wrote: > 2009/7/22 Rémy Maucherat <remy.mauche...@gmail.com>: >> On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<ma...@apache.org> wrote: >>> You'll need to provide more details. Nothing stands out from the security >>> pages. >>> >>> Please provide step by step instructions to reproduce from a clean Tomcat >>> installation. >>> >>> Please also note that potential security vulnerabilities should be reported >>> privately (see http://tomcat.apache.org/security.html), rather than to a >>> public >>> list. Since you have posted to a public list, there is no point continuing >>> in >>> private. >> >> I don't think the host is used in HTML generated by Tomcat. OTOH, like >> the other strings returned by the API, ServletRequest.getServerName is >> not XSS filtered. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
