CVE-2007-1355.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
CVE-2007-1355: Tomcat documentation XSS vulnerabilities  
  
Severity:  
Moderate (Cross-site scripting)  
  
Vendor:  
The Apache Software Foundation  
  
Versions Affected:  
Tomcat 4.0.0 to 4.0.6  
Tomcat 4.1.0 to 4.1.36  
Tomcat 5.0.0 to 5.0.30  
Tomcat 5.5.0 to 5.5.23  
Tomcat 6.0.0 to 6.0.10  
  
Description:  
The Tomcat documentation web application includes a sample application  
that contains multiple XSS vulnerabilities.  
  
Mitigation:  
Undeploy the Tomcat documentation web application.  
  
Credit:  
These issues were discovered by Ferruh Mavituna.  
  
Example:  
http://server/tomcat-docs/appdev/sample/web/hello.jsp?test=<script>alert(document.domain)</script>  
  
  
References:  
http://tomcat.apache.org/security.html  
  
Mark Thomas  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iD8DBQFGTxLXb7IeiTPGAkMRAhPzAKDxibK3Cn9Dq+2ZrlhZszmwPAJufACfdvjv  
AH8zWtQXPUbBVgDS+6KoNOE=  
=/6Zd  
-----END PGP SIGNATURE-----  
`