[CVE-2007-1355] Tomcat documentation XSS vulnerabilities

2007-05-19T00:00:00
ID SECURITYVULNS:DOC:17057
Type securityvulns
Reporter Securityvulns
Modified 2007-05-19T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2007-1355: Tomcat documentation XSS vulnerabilities

Severity: Moderate (Cross-site scripting)

Vendor: The Apache Software Foundation

Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.36 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.23 Tomcat 6.0.0 to 6.0.10

Description: The Tomcat documentation web application includes a sample application that contains multiple XSS vulnerabilities.

Mitigation: Undeploy the Tomcat documentation web application.

Credit: These issues were discovered by Ferruh Mavituna.

Example: http://server/tomcat-docs/appdev/sample/web/hello.jsp?test=<script>alert(document.domain)</script>

References: http://tomcat.apache.org/security.html

Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGTxLXb7IeiTPGAkMRAhPzAKDxibK3Cn9Dq+2ZrlhZszmwPAJufACfdvjv AH8zWtQXPUbBVgDS+6KoNOE= =/6Zd -----END PGP SIGNATURE-----