-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-2449: Apache Tomcat XSS vulnerabilities in the JSP examples
Severity: low (cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.0.0 to 4.0.6
Tomcat 4.1.0 to 4.1.36
Tomcat 5.0.0 to 5.0.30
Tomcat 5.5.0 to 5.5.24
Tomcat 6.0.0 to 6.0.13
Description:
The JSP examples web application displays does not escape some user
provided data before including it in the output. This enables a XSS
attack.
Mitigation:
1. Undeploy the examples web application(s).
Example:
http://host:port/jsp-examples/snp/snoop.jsp;<script>alert()</script>test
.jsp
Credit:
These issues were discovered by an unknown security researcher and
reported to JPCERT.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGcKbJb7IeiTPGAkMRAi9BAKDsuoomGh2n9BYl7mT/tGEjQ+HIlQCdHjnU
zdreMwViLR/bDBnys5YkhPk=
=SK7+
-----END PGP SIGNATURE-----