Return-Path: 
 <tomcat-dev-return-34674-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org
Received: (qmail 94314 invoked from network); 28 Sep 2003 10:15:57 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 28 Sep 2003 10:15:57 -0000
Received: (qmail 92453 invoked by uid 500); 28 Sep 2003 10:15:22 -0000
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 92395 invoked by uid 500); 28 Sep 2003 10:15:22 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-dev-help@jakarta.apache.org>
List-Post: <mailto:tomcat-dev@jakarta.apache.org>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 92284 invoked from network); 28 Sep 2003 10:15:20 -0000
Received: from unknown (HELO femail11.im.home.ne.jp) (203.165.11.233)
  by daedalus.apache.org with SMTP; 28 Sep 2003 10:15:20 -0000
Received: by femail11.im.home.ne.jp with ESMTP
          id
 <20030928101533.VORI1106.femail11.im.home.ne.jp@smtp201.mf.home.ne.jp>;
          Sun, 28 Sep 2003 19:15:33 +0900
Received: from jcom.home.ne.jp (61-27-53-63.home.ne.jp [61.27.53.63])
	by smtp201.mf.home.ne.jp (s23091800) with ESMTP id h8SAFXfE002771;
	Sun, 28 Sep 2003 19:15:33 +0900 (JST)
Message-ID: <3F76B49A.6090803@jcom.home.ne.jp>
Date: Sun, 28 Sep 2003 19:14:50 +0900
From: Kan Ogawa <super-creek@jcom.home.ne.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; ja-JP;
 rv:1.0.2) Gecko/20030208 Netscape/7.02
X-Accept-Language: en, ja
MIME-Version: 1.0
To: security@apache.org, tomcat-dev@jakarta.apache.org
Subject: Jakarta Tomcat 4.1 XSS vulnerability
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Hi,

Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was
reported last year, is not yet resolved.

http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0

I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1
connector.

http://localhost:8080/666%0a%0a<script>alert("asdf");</script>666.jsp

On the other hand, on Tomcat 5.0, it was not reproduced.
Do you neglect to resolve it to Tomcat 4.x, Tomcat committers?

Regards,

-- 
Kan Ogawa
super-creek@jcom.home.ne.jp


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org