|Main Archive Page > Month Archives > full-disclosure-uk archives|
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2007-3384: XSS in Tomcat cookies example
Low (Cross-site scripting)
The Apache Software Foundation
3.3 to 3.3.2
When reporting error messages, Tomcat does not filter user supplied data before display. This enables an XSS attack.
Remove examples web application.
Apply patch available from http://tomcat.apache.org/download-33.cgi
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing and Networking Center, who worked with the CERT/CC to report the vulnerability.
http://localhost:8080/examples/servlet/CookieExample populate Name or Value field with:
<script>alert('XSS reflected');</script> and submit.
-----END PGP SIGNATURE-----