Vulnerability Development mailing list archives
Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability
From: KF <dotslash () snosoft com>
Date: Wed, 21 Aug 2002 19:19:59 -0500
Several of the example pages have similar issues. -KF Chip McClure wrote:
This doesn't appear to be backwards compatible, (possibly not even cross platform) though. Tested on an apache / tomcat 4.0.4 server, running FreeBSD. No alerts, just an error 400 page... I don't have access to a tomcat 4.1 system, so can't test there. Chip ----- Chip McClure Sr. Unix Administrator GigGuardian, Inc. http://www.gigguardian.com/ -----***** This writing is part of Malloc() Hackers & Malloc() Security ***** http://www.malloc.tk http://www.superw00t.com*******************************************************************************>Title: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability ~~~ Author: Skinnay of Malloc() ~~~~~ Contact: "Skinnay" - (skinnay () skinnux com) ~~~~~~ No modification of the contents of this file should be made without direct consent of the author or of Malloc() hackers or Malloc() Security. ************************************************************************ Apache Tomcat is a Webserver/servlet engine available for multiple *nix platforms and Windows platforms. There exist a cross-site scripting vulnerability in Apache Tomcat that may allow people to craft links to vulnerable webservers and execute malicious instructions. Exploitation: Tested on Tomcat 4.1 / Linux http://example.com:8080/666%0a%0a<script>alert("asdf");</script>666.jsp Found by Skinnay of Malloc().. word.. :P
Current thread:
- Apache Tomcat 4.1 Cross-Site Scripting Vulnerability skinnay (Aug 21)
- Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability Chip McClure (Aug 21)
- RE: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability rulerpen (Aug 21)
- Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability KF (Aug 21)
- Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability Chip McClure (Aug 21)