This doesn't appear to be backwards compatible, (possibly not even cross platform) though. Tested on an apache / tomcat 4.0.4 server, running FreeBSD. No alerts, just an error 400 page... I don't have access to a tomcat 4.1 system, so can't test there. Chip ----- Chip McClure Sr. Unix Administrator GigGuardian, Inc. http://www.gigguardian.com/ ----- > ***** This writing is part of Malloc() Hackers & Malloc() Security > ***** > http://www.malloc.tk > http://www.superw00t.com > *******************************************************************************> > Title: Apache Tomcat 4.1 Cross-Site Scripting Vulnerability > ~~~ > Author: Skinnay of Malloc() > ~~~~~ > > Contact: "Skinnay" - (skinnayat_private) > ~~~~~~ > > No modification of the contents of this file should be made > without direct consent of the author or of Malloc() hackers or > Malloc() Security. > ************************************************************************ > > > > Apache Tomcat is a Webserver/servlet engine available for multiple *nix > platforms and Windows platforms. > > > There exist a cross-site scripting vulnerability in Apache Tomcat > that may allow people to craft links to vulnerable webservers > and execute malicious instructions. > > > Exploitation: > > Tested on Tomcat 4.1 / Linux > > http://example.com:8080/666%0a%0a