Penetration Testing mailing list archives
Re: XSS vulnerability on Apache Tomcat server
From: Anthony LaMantia <contact () bia-security com>
Date: 04 Dec 1999 10:24:48 -0800
there is an article on packetstorm at this link:http://packetstorm.decepticons.org/papers/web/xss-faq.txt It provides some information on exploiting cross site scripting issues on systems that use cookie based authentication, this may or may not apply to your situation good luck with the rest of the test Anthony LaMantia http://www.bia-security.com On Mon, 2002-08-12 at 23:59, Erwin van der Zwan wrote:
I am currently pen-testing an Apache Tomcat v4.0.3 web server running on a Windows 2000 box. The server just provides access to an LDAP database through a search query. The box is connected directly to the Internet and seems to be protected by McAfee/PGP personal firewall/IDS which blocks the IP address for 30 minutes or so. TCP ports 21, 80, 389, 1002 and 1720 seems to be open, the rest is filtered/blocked. The server is running tomcat_server/servlet/JNDISearch Java LDAP search code. It seems to be vulnerable for XSS and path disclosure vulnerabilities. I got the path (D:\Tomcat\webapps) but any ideas on how to exploit the XSS vulnerability or advance with the test? Ideas? EvdZ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- XSS vulnerability on Apache Tomcat server Erwin van der Zwan (Aug 13)
- Re: XSS vulnerability on Apache Tomcat server Anthony LaMantia (Aug 14)
- <Possible follow-ups>
- Re: XSS vulnerability on Apache Tomcat server Muhammad Faisal Rauf Danka (Aug 21)