-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2008-1232: Apache Tomcat XSS vulnerability
Vendor: The Apache Software Foundation
Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description: The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.
Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should obtain the latest source from svn or apply this patch which will be included from 5.5.27 http://svn.apache.org/viewvc?rev=680947&view=rev
4.1.x users should obtain the latest source from svn or apply this patch which will be included from 4.1.38 http://svn.apache.org/viewvc?rev=680947&view=rev (connector only) http://svn.apache.org/viewvc?rev=680948&view=rev
Example: <%@page contentType="text/html"%> <% ~ // some unicode characters, that result in CRLF being printed ~ final String CRLF = "\u010D\u010A";
Credit: This issue was discovered by Konstantin Kolinko.
Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiTGFsACgkQb7IeiTPGAkNG6ACfY+P91mt1/h06Q8c5foCJldFp 9B8An2OvenCD+3nWbLazp6Th+lxWgL7f =lTUT -----END PGP SIGNATURE-----