You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Dan K." <da...@YorkU.CA> on 2002/07/10 19:50:27 UTC
wp-02-0008: Apache Tomcat Cross Site Scripting
Hi,
Regarding the recent advisory from Westpoint Security:
-------------------------------------
Westpoint Security Advisory
Title: Apache Tomcat Cross Site Scripting
Risk Rating: Low
Software: Apache Tomcat v4.0.3
Platforms: WinNT, Win2k, Linux
Vendor URL: jakarta.apache.org
Author: Matt Moore <ma...@westpoint.ltd.uk>
Date: 10th July 2002
Advisory ID#: wp-02-0008
Overview:
=========
Apache Tomcat is the servlet container that is used in the official
Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
Tomcat has a couple of Cross Site Scripting vulnerabilities.
<SNIPPED>
Patch Information:
==================
Upgrading to v4.1.3 beta resolves the DOS device name XSS issue.
The workaround for the other XSS issues described above is as follows:
The "invoker" servlet (mapped to /servlet/), which executes anonymous
servlet
classes that have not been defined in a web.xml file should be unmapped.
The entry for this can be found in the /tomcat-install-dir/conf/web.xml
file.
-------------------------------------
What does one need to do exactly regarding the work-around for 4.0.x
versions of Tomcat? Unmapping the "invoker" servlet for /servlet/ seems
to disable my webapps! Or am I misinterpreting this?
TIA.
Regards,
Dan
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>