tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leon Rosenberg <rosenberg.l...@googlemail.com>
Subject Re: XSS vulnerability in Tomcat Host Header
Date Thu, 23 Jul 2009 09:21:33 GMT
So, it was a hoax? :-)

Leon

On Wed, Jul 22, 2009 at 3:30 PM, Konstantin
Kolinko<knst.kolinko@gmail.com> wrote:
> 2009/7/22 Rémy Maucherat <remy.maucherat@gmail.com>:
>> On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<markt@apache.org> wrote:
>>> You'll need to provide more details. Nothing stands out from the security pages.
>>>
>>> Please provide step by step instructions to reproduce from a clean Tomcat
>>> installation.
>>>
>>> Please also note that potential security vulnerabilities should be reported
>>> privately (see http://tomcat.apache.org/security.html), rather than to a public
>>> list. Since you have posted to a public list, there is no point continuing in
>>> private.
>>
>> I don't think the host is used in HTML generated by Tomcat. OTOH, like
>> the other strings returned by the API, ServletRequest.getServerName is
>> not XSS filtered.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message