You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Dan K." <da...@YorkU.CA> on 2002/07/10 19:50:27 UTC

wp-02-0008: Apache Tomcat Cross Site Scripting

Hi,

Regarding the recent advisory from Westpoint Security:

-------------------------------------
Westpoint Security Advisory

Title:            Apache Tomcat Cross Site Scripting
Risk Rating:      Low
Software:         Apache Tomcat v4.0.3
Platforms:        WinNT, Win2k, Linux
Vendor URL:       jakarta.apache.org
Author:           Matt Moore <ma...@westpoint.ltd.uk>
Date:             10th July 2002
Advisory ID#:     wp-02-0008

Overview:
=========
Apache Tomcat is the servlet container that is used in the official
Reference
Implementation for the Java Servlet and JavaServer Pages technologies.

Tomcat has a couple of Cross Site Scripting vulnerabilities.

<SNIPPED>

Patch Information:
==================

Upgrading to v4.1.3 beta resolves the DOS device name XSS issue.

The workaround for the other XSS issues described above is as follows:

The "invoker" servlet (mapped to /servlet/), which executes anonymous
servlet
classes that have not been defined in a web.xml file should be unmapped.

The entry for this can be found in the /tomcat-install-dir/conf/web.xml
file.
-------------------------------------

What does one need to do exactly regarding the work-around for 4.0.x
versions of Tomcat?  Unmapping the "invoker" servlet for /servlet/ seems
to disable my webapps!  Or am I misinterpreting this?
TIA.

Regards,
Dan


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>