tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Tomcat 4.0.6 / 6.0.37 Struts 1.2.8 XSS CVE-2006-1548
Date Thu, 17 May 2018 15:46:57 GMT
On 17 May 2018 15:46:07 BST, Chris Bonk <> wrote:
>I have a strange issue, I am trying to track down the root cause for an
>ancient CVE-2006-1548
>I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the
>characters needed to inject the script are properly encoded, what is
>mechanism for this? I haven't been able to determine why
>handles the message parameter different between versioning.
>Can anyone point me in the right direction?

Looks like the error handling was rewritten in 4.1.x.

286679 looks relevant.

I'm on my phone so checking further is tricky but I suspect this is one of those grey areas
in the spec where it isn't clear if the webapp or the container is responsible for sanitizing
the data.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message