The Tomcat documentation web application includes a sample application that contains multiple cross site scripting vulnerabilities. Versions affected include Tomcat 4.0.0 to 4.0.6, Tomcat 4.1.0 to 4.1.36, Tomcat 5.0.0 to 5.0.30, Tomcat 5.5.0 to 5.5.23, and Tomcat 6.0.0 to 6.0.10.
968c88845b898089e8b8029963655b7859cb75e7641ac130b217cc79a098793a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-1355: Tomcat documentation XSS vulnerabilities
Severity:
Moderate (Cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.0.0 to 4.0.6
Tomcat 4.1.0 to 4.1.36
Tomcat 5.0.0 to 5.0.30
Tomcat 5.5.0 to 5.5.23
Tomcat 6.0.0 to 6.0.10
Description:
The Tomcat documentation web application includes a sample application
that contains multiple XSS vulnerabilities.
Mitigation:
Undeploy the Tomcat documentation web application.
Credit:
These issues were discovered by Ferruh Mavituna.
Example:
https://server/tomcat-docs/appdev/sample/web/hello.jsp?test=<script>alert(document.domain)</script>
References:
https://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - https://enigmail.mozdev.org
iD8DBQFGTxLXb7IeiTPGAkMRAhPzAKDxibK3Cn9Dq+2ZrlhZszmwPAJufACfdvjv
AH8zWtQXPUbBVgDS+6KoNOE=
=/6Zd
-----END PGP SIGNATURE-----