Konstantin Kolinko wrote: > 2009/7/22 Rémy Maucherat <remy.mauche...@gmail.com>: >> On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<ma...@apache.org> wrote: >>> You'll need to provide more details. Nothing stands out from the security >>> pages. >>> >>> Please provide step by step instructions to reproduce from a clean Tomcat >>> installation. >>> >>> Please also note that potential security vulnerabilities should be reported >>> privately (see http://tomcat.apache.org/security.html), rather than to a >>> public >>> list. Since you have posted to a public list, there is no point continuing >>> in >>> private. >> I don't think the host is used in HTML generated by Tomcat. OTOH, like >> the other strings returned by the API, ServletRequest.getServerName is >> not XSS filtered. >> > > At least, if there are concerns about that, there is a workaround: > > you can specify proxyName attribute on a <Connector> element in server.xml > > In that case the one that is in request will be ignored. > > Documentation is here: > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html > http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
For the record, private mail with more detail has indicated that this is an issue in an application deployed to Tomcat, rather than Tomcat itself. The issue has been forwarded to the appropriate folks to be dealt with. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
