tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "carl" <c...@etrak-plus.com>
Subject Re: Tomcat cross-site scripting vulnerability
Date Fri, 04 Jul 2014 14:25:30 GMT


On 7/4/2014 9:46 AM, Vijendra Pachoriya wrote:
> Which version of tomcat you are using ??
>
> Either upgrade to tomcat 7 or add this to your tomcat context.xml <Context useHttpOnly="true">
>
> Regards,
> Vijendra
>
> -----Original Message-----
> From: Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco) [mailto:radmedur@cisco.com]
> Sent: 04 July 2014 18:45
> To: Tomcat Users List
> Subject: RE: Tomcat cross-site scripting vulnerability
>
> I think application needs to take care of CSRF.
>
> -----Original Message-----
> From: carl [mailto:carl@etrak-plus.com]
> Sent: Friday, July 04, 2014 6:43 PM
> To: users@tomcat.apache.org
> Subject: Tomcat cross-site scripting vulnerability
>
> Our latest PCI scan using the Saint scanner shows the following:
>
> 404 Error Page Cross Site Scripting Vulnerability
> 12/21/09
> Apache Tomcat is prone to a cross-site scripting vulnerability because it fails to properly
sanitize user-supplied input.
> An attacker may leverage this issue to execute arbitrary script code in the browser of
an unsuspecting user in the context of the affected site.
>
> Is there any way to mitigate this vulnerability (I suspect anyone using Tomcat is going
to see the same thing)?
>
> Thanks,
>
> Carl
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> .
>
Thanks for the suggestion.

I am using 7 and am upgrading to the latest version.

Thanks,

Carl


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message