CVE-2007-2449.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
CVE-2007-2449: Apache Tomcat XSS vulnerabilities in the JSP examples  
  
Severity: low (cross-site scripting)  
  
Vendor:  
The Apache Software Foundation  
  
Versions Affected:  
Tomcat 4.0.0 to 4.0.6  
Tomcat 4.1.0 to 4.1.36  
Tomcat 5.0.0 to 5.0.30  
Tomcat 5.5.0 to 5.5.24  
Tomcat 6.0.0 to 6.0.13  
  
Description:  
The JSP examples web application displays does not escape some user  
provided data before including it in the output. This enables a XSS  
attack.  
  
Mitigation:  
1. Undeploy the examples web application(s).  
  
Example:  
http://host:port/jsp-examples/snp/snoop.jsp;<script>alert()</script>test.jsp  
  
Credit:  
These issues were discovered by an unknown security researcher and  
reported to JPCERT.  
  
References:  
http://tomcat.apache.org/security.html  
  
Mark Thomas  
  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iD8DBQFGcKbJb7IeiTPGAkMRAi9BAKDsuoomGh2n9BYl7mT/tGEjQ+HIlQCdHjnU  
zdreMwViLR/bDBnys5YkhPk=  
=SK7+  
-----END PGP SIGNATURE-----  
`