tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r662584 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml
Date Mon, 02 Jun 2008 21:42:03 GMT
Author: markt
Date: Mon Jun  2 14:42:03 2008
New Revision: 662584

URL: http://svn.apache.org/viewvc?rev=662584&view=rev
Log:
Document potential XSS in host-manager.
This is CVE-2008-1947.

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun  2 14:42:03 2008
@@ -222,6 +222,43 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 5.5.SVN">
+<strong>Fixed in Apache Tomcat 5.5.SVN</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947">
+       CVE-2008-1947</a>
+</p>
+
+    <p>The Host Manager web application did not escape user provided data before
+       including it in the output. This enabled a XSS attack. This application
+       now filters the data before use. This issue may be mitigated by logging
+       out (closing the browser) of the application once the management tasks
+       have been completed.</p>
+
+    <p>Affects: 5.5.9-5.5.26</p>
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 5.5.26">
 <strong>Fixed in Apache Tomcat 5.5.26</strong>
 </a>
@@ -331,7 +368,7 @@
 
     <p>The Manager and Host Manager web applications did not escape user
        provided data before including it in the output. This enabled a XSS
-       attack. These applciations now filter the data before use. This issue may
+       attack. These applications now filter the data before use. This issue may
        be mitigated by logging out (closing the browser) of the application once
        the management tasks have been completed.</p>
 

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun  2 14:42:03 2008
@@ -216,6 +216,43 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 6.0.SVN">
+<strong>Fixed in Apache Tomcat 6.0.SVN</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947">
+       CVE-2008-1947</a>
+</p>
+
+    <p>The Host Manager web application did not escape user provided data before
+       including it in the output. This enabled a XSS attack. This application
+       now filters the data before use. This issue may be mitigated by logging
+       out (closing the browser) of the application once the management tasks
+       have been completed.</p>
+
+    <p>Affects: 6.0.0-6.0.16</p>
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 6.0.16">
 <strong>Fixed in Apache Tomcat 6.0.16</strong>
 </a>
@@ -339,7 +376,7 @@
 
     <p>The Manager and Host Manager web applications did not escape user
        provided data before including it in the output. This enabled a XSS
-       attack. These applciations now filter the data before use. This issue may
+       attack. These applications now filter the data before use. This issue may
        be mitigated by logging out (closing the browser) of the application once
        the management tasks have been completed.</p>
 

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun  2 14:42:03 2008
@@ -28,6 +28,20 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 5.5.SVN">
+    <p><strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947">
+       CVE-2008-1947</a></p>
+
+    <p>The Host Manager web application did not escape user provided data before
+       including it in the output. This enabled a XSS attack. This application
+       now filters the data before use. This issue may be mitigated by logging
+       out (closing the browser) of the application once the management tasks
+       have been completed.</p>
+
+    <p>Affects: 5.5.9-5.5.26</p>
+  </section>
+
   <section name="Fixed in Apache Tomcat 5.5.26">
     <p><strong>low: Session hi-jacking</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333">
@@ -95,7 +109,7 @@
 
     <p>The Manager and Host Manager web applications did not escape user
        provided data before including it in the output. This enabled a XSS
-       attack. These applciations now filter the data before use. This issue may
+       attack. These applications now filter the data before use. This issue may
        be mitigated by logging out (closing the browser) of the application once
        the management tasks have been completed.</p>
 

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun  2 14:42:03 2008
@@ -22,6 +22,20 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 6.0.SVN">
+    <p><strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947">
+       CVE-2008-1947</a></p>
+
+    <p>The Host Manager web application did not escape user provided data before
+       including it in the output. This enabled a XSS attack. This application
+       now filters the data before use. This issue may be mitigated by logging
+       out (closing the browser) of the application once the management tasks
+       have been completed.</p>
+
+    <p>Affects: 6.0.0-6.0.16</p>
+  </section>
+
   <section name="Fixed in Apache Tomcat 6.0.16">
     <p><strong>low: Session hi-jacking</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333">
@@ -101,7 +115,7 @@
 
     <p>The Manager and Host Manager web applications did not escape user
        provided data before including it in the output. This enabled a XSS
-       attack. These applciations now filter the data before use. This issue may
+       attack. These applications now filter the data before use. This issue may
        be mitigated by logging out (closing the browser) of the application once
        the management tasks have been completed.</p>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message