tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <>
Subject Re: XSS vulnerability in Tomcat Host Header
Date Wed, 22 Jul 2009 12:48:36 GMT
On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<> wrote:
> You'll need to provide more details. Nothing stands out from the security pages.
> Please provide step by step instructions to reproduce from a clean Tomcat
> installation.
> Please also note that potential security vulnerabilities should be reported
> privately (see, rather than to a public
> list. Since you have posted to a public list, there is no point continuing in
> private.

I don't think the host is used in HTML generated by Tomcat. OTOH, like
the other strings returned by the API, ServletRequest.getServerName is
not XSS filtered.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message