httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laura Randazzo <>
Subject [users@httpd] XSS vulnerability between Apache http server and Tomcat using mod_jk connector
Date Tue, 18 Aug 2009 15:01:30 GMT
I have run into an XSS security problem between Apache http server and 
Tomcat using the mod_jk connector.  I have my Tomcat version 6.0.16 
server running behind an Apache http server 2.0.54 (I have also tested 
with version 2.2.13 with the same result) using mod_jk version 1.2.28.

If I send the URL


to port 8080 (directly to my tomcat), the alert doesn't appear. However, 
if I send the above URL to port 80 (my Apache http server), I get an 
alert box.

I've manually put in the 

to ensure they are set to false, but I still get the same behavior. I 
have looked through the possibilities in and don't 
see anything to help stop this problem.  Is this a known issue?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message