tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Fwd: XSS in Jakarta Tomcat 5.5.6
Date Mon, 03 Jan 2005 16:12:35 GMT
Remy Maucherat wrote:
> Erik Abele wrote:
> 
>> not acked, just fwd'ing...
> 
> 
> The issues mentioned in this email are very minor so -> tomcat-dev.
> 
>> Begin forwarded message:
>>
>>> From: "Oliver Karow" <Oliver.Karow@gmx.de>
>>> Date: 3. Januar 2005 12:29:12 MEZ
>>> To: security@apache.org
>>> Subject: XSS in Jakarta Tomcat 5.5.6
>>>
>>> Hello and a happy new year,
>>>
>>> during coding a little webapp-security-scanner, i found  
>>> cross-site-scripting
>>> vulnerabilities in
>>> Apache Tomcat/5.5.6 (JVM Version: 1.5.0_01-b08 (Sun  
>>> microsystems),running on
>>> Windows 2000)
>>>
>>> First one needs
>>> authentication:
>>>
>>> http://192.168.0.23:8080/manager/html/<script>alert("Hallo")</script>
>>> http://192.168.0.23:8080/manager/html/stop? 
>>> path=<script>alert("Hallo")</script>
>>> http://192.168.0.23:8080/manager/html/start? 
>>> path=<script>alert("Hallo")</script>
> 
> 
> This is a non issue, so I'd say we won't fix that. It's always possible 
> that someone would fix it though, if they care ;)

I'll look at this for the same reason I looked at the XSS issues in the 
examples - not that it is a real security issue but to stop us having to 
periodically explain to people that don't understand security why this 
is a total non-issue.

> 
>>> Second one works without authentication, but should not be that easy to
>>> exploit:
>>>
>>> Telnet to port 8080 and paste the following:
>>>
>>> <script>alert("Hallo")</script> /jsp-examples/snp/snoop.jsp HTTP/1.0
> 
> 
> We have decided to fix XSS in the examples web applications (which 
> should obviously be removed from production servers), so I assume we 
> will fix this.

I posted the patches to fix examples to the committers list a little 
while ago (I can't patch it myself as fixing the examples requires 
jakarta-servletapi-5 karma). I'll dig out the patch and post it here.

> 
>>> Because i'm not very familiar with Tomcat, i want to ask you, to  
>>> verify the
>>> existence of this
>>> bug. I looked at securityfocus.com to verify the existence of this  
>>> bug, but
>>> could not find anything regarding
>>> this version of Tomcat.
>>>
>>> If you have any questions, feel free to contact me!
>>>
>>> Best regards,
> 
> 
> Rémy
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message