tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kan Ogawa <super-cr...@jcom.home.ne.jp>
Subject Jakarta Tomcat 4.1 XSS vulnerability
Date Sun, 28 Sep 2003 10:14:50 GMT
Hi,

Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was
reported last year, is not yet resolved.

http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0

I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1
connector.

http://localhost:8080/666%0a%0a<script>alert("asdf");</script>666.jsp

On the other hand, on Tomcat 5.0, it was not reproduced.
Do you neglect to resolve it to Tomcat 4.x, Tomcat committers?

Regards,

-- 
Kan Ogawa
super-creek@jcom.home.ne.jp


Mime
View raw message