Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 81872 invoked from network); 14 Aug 2007 03:30:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Aug 2007 03:30:07 -0000 Received: (qmail 40231 invoked by uid 500); 14 Aug 2007 03:29:47 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 40117 invoked by uid 500); 14 Aug 2007 03:29:47 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 40084 invoked by uid 99); 14 Aug 2007 03:29:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Aug 2007 20:29:47 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 204.127.225.96 is neither permitted nor denied by domain of markt@apache.org) Received: from [204.127.225.96] (HELO alnrmhc16.comcast.net) (204.127.225.96) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 03:29:55 +0000 Received: from [192.168.0.100] (c-68-33-79-168.hsd1.md.comcast.net[68.33.79.168]) by comcast.net (alnrmhc16) with ESMTP id <20070814032851b1600qlna9e>; Tue, 14 Aug 2007 03:28:52 +0000 Message-ID: <46C12172.9090701@apache.org> Date: Mon, 13 Aug 2007 23:28:50 -0400 From: Mark Thomas User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Tomcat Users List , Tomcat Developers List , bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk CC: JPCERT/CC Vulnerability Handling Team Subject: CVE-2007-3386: XSS in Host Manager X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2007-3386: XSS in Host Manager Severity: Low (Cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 Description: The Host Manager Servlet does not filter user supplied data before display. This enables an XSS attack. Mitigation: Log out (close browser) of the Host Manager application once admin tasks are complete Upgrade to 6.0.14 Credit: This issue was discovered by the NTT OSS CENTER who worked with the JPCERT/CC to report the vulnerability. Example: References: http://tomcat.apache.org/security.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwSFyb7IeiTPGAkMRAlgMAKCe0hS+c6so9pxK3KfN7LggWv+3uQCfUsAg 95+vMfHDJlrKHP/yKUZ0SYc= =1pQc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org