You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Laura Randazzo <la...@utgi.us> on 2009/08/18 17:01:30 UTC

[users@httpd] XSS vulnerability between Apache http server and Tomcat using mod_jk connector

I have run into an XSS security problem between Apache http server and 
Tomcat using the mod_jk connector.  I have my Tomcat version 6.0.16 
server running behind an Apache http server 2.0.54 (I have also tested 
with version 2.2.13 with the same result) using mod_jk version 1.2.28.

If I send the URL

http://XXX.XXX.XXX.XXX/web/13048/1/-/message_boards/category/20180/%22%3E%3Cscript%3Ealert(6814)%3C/script%3E

to port 8080 (directly to my tomcat), the alert doesn't appear. However, 
if I send the above URL to port 80 (my Apache http server), I get an 
alert box.

I've manually put in the 
;-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false;-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false

to ensure they are set to false, but I still get the same behavior. I 
have looked through the possibilities in workers.properties and don't 
see anything to help stop this problem.  Is this a known issue?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org