tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: XSS vulnerability in Tomcat Host Header
Date Wed, 22 Jul 2009 13:30:39 GMT
2009/7/22 Rémy Maucherat <remy.maucherat@gmail.com>:
> On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<markt@apache.org> wrote:
>> You'll need to provide more details. Nothing stands out from the security pages.
>>
>> Please provide step by step instructions to reproduce from a clean Tomcat
>> installation.
>>
>> Please also note that potential security vulnerabilities should be reported
>> privately (see http://tomcat.apache.org/security.html), rather than to a public
>> list. Since you have posted to a public list, there is no point continuing in
>> private.
>
> I don't think the host is used in HTML generated by Tomcat. OTOH, like
> the other strings returned by the API, ServletRequest.getServerName is
> not XSS filtered.
>

At least, if there are concerns about that, there is a workaround:

you can specify proxyName  attribute on a <Connector> element in server.xml

In that case the one that is in request will be ignored.

Documentation is here:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message