tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tomcat 4.0.6 / 6.0.37 Struts 1.2.8 XSS CVE-2006-1548
Date Thu, 17 May 2018 15:46:57 GMT
On 17 May 2018 15:46:07 BST, Chris Bonk <bonk.chris@gmail.com> wrote:
>Hello,
>
>I have a strange issue, I am trying to track down the root cause for an
>ancient CVE-2006-1548
>
>http://struts.1045723.n5.nabble.com/DO-NOT-REPLY-Bug-38749-New-XSS-vulnerability-in-LookupDispatchAction-td3510079.html
>
>I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the
>html
>characters needed to inject the script are properly encoded, what is
>the
>mechanism for this? I haven't been able to determine why
>ServletException
>handles the message parameter different between versioning.
>
>Can anyone point me in the right direction?

Looks like the error handling was rewritten in 4.1.x.

http://svn.apache.org/viewvc/tomcat/archive/tc4.1.x/trunk/container/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java?view=log

286679 looks relevant.

I'm on my phone so checking further is tricky but I suspect this is one of those grey areas
in the spec where it isn't clear if the webapp or the container is responsible for sanitizing
the data.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message