tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: XSS vulnerability in Tomcat Host Header
Date Wed, 22 Jul 2009 13:30:39 GMT
2009/7/22 Rémy Maucherat <>:
> On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<> wrote:
>> You'll need to provide more details. Nothing stands out from the security pages.
>> Please provide step by step instructions to reproduce from a clean Tomcat
>> installation.
>> Please also note that potential security vulnerabilities should be reported
>> privately (see, rather than to a public
>> list. Since you have posted to a public list, there is no point continuing in
>> private.
> I don't think the host is used in HTML generated by Tomcat. OTOH, like
> the other strings returned by the API, ServletRequest.getServerName is
> not XSS filtered.

At least, if there are concerns about that, there is a workaround:

you can specify proxyName  attribute on a <Connector> element in server.xml

In that case the one that is in request will be ignored.

Documentation is here:

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message