Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 190 invoked from network); 18 Jun 2007 23:31:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 18 Jun 2007 23:31:10 -0000 Received: (qmail 26302 invoked by uid 500); 18 Jun 2007 23:30:53 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 26169 invoked by uid 500); 18 Jun 2007 23:30:53 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 26134 invoked by uid 99); 18 Jun 2007 23:30:53 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Jun 2007 16:30:53 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [206.18.177.51] (HELO alnrmhc11.comcast.net) (206.18.177.51) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Jun 2007 16:30:49 -0700 Received: from [192.168.0.100] (c-69-255-63-251.hsd1.md.comcast.net[69.255.63.251]) by comcast.net (alnrmhc11) with ESMTP id <20070618233023b1100i3e5ce>; Mon, 18 Jun 2007 23:30:28 +0000 Message-ID: <4677158C.2020308@apache.org> Date: Mon, 18 Jun 2007 19:30:20 -0400 From: Mark Thomas User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, Tomcat Users List , Tomcat Developers List Subject: [CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language header processing X-Enigmail-Version: 0.94.3.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language header processing Severity: Low (cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.34 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.20 Tomcat 6.0.0 to 6.0.5 Description: Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. Tomcat now ignores invalid values for Accept-Language headers that do not conform to RFC 2616. Mitigation: 1. Upgrade to fixed version 2. Escape values obtained from Accept-Language header before use. Credit: This issue was reported by Masato Anzai and Toshiharu Sugiyama. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdxWMb7IeiTPGAkMRAgDgAJkBG6sVBDP/8yxGrZ7CqvEXPNW1mACgiL8M CyWgpvE5125qciTSYPJbOgU= =A84r -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org