Author: markt
Date: Mon Jun 2 14:42:03 2008
New Revision: 662584
URL: http://svn.apache.org/viewvc?rev=662584&view=rev
Log:
Document potential XSS in host-manager.
This is CVE-2008-1947.
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun 2 14:42:03 2008
@@ -222,6 +222,43 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 5.5.SVN">
+<strong>Fixed in Apache Tomcat 5.5.SVN</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947";>
+ CVE-2008-1947</a>
+</p>
+
+ <p>The Host Manager web application did not escape user provided data
before
+ including it in the output. This enabled a XSS attack. This application
+ now filters the data before use. This issue may be mitigated by logging
+ out (closing the browser) of the application once the management tasks
+ have been completed.</p>
+
+ <p>Affects: 5.5.9-5.5.26</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.26">
<strong>Fixed in Apache Tomcat 5.5.26</strong>
</a>
@@ -331,7 +368,7 @@
<p>The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
- attack. These applciations now filter the data before use. This issue
may
+ attack. These applications now filter the data before use. This issue
may
be mitigated by logging out (closing the browser) of the application
once
the management tasks have been completed.</p>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun 2 14:42:03 2008
@@ -216,6 +216,43 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 6.0.SVN">
+<strong>Fixed in Apache Tomcat 6.0.SVN</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947";>
+ CVE-2008-1947</a>
+</p>
+
+ <p>The Host Manager web application did not escape user provided data
before
+ including it in the output. This enabled a XSS attack. This application
+ now filters the data before use. This issue may be mitigated by logging
+ out (closing the browser) of the application once the management tasks
+ have been completed.</p>
+
+ <p>Affects: 6.0.0-6.0.16</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.16">
<strong>Fixed in Apache Tomcat 6.0.16</strong>
</a>
@@ -339,7 +376,7 @@
<p>The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
- attack. These applciations now filter the data before use. This issue
may
+ attack. These applications now filter the data before use. This issue
may
be mitigated by logging out (closing the browser) of the application
once
the management tasks have been completed.</p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun 2 14:42:03 2008
@@ -28,6 +28,20 @@
</section>
+ <section name="Fixed in Apache Tomcat 5.5.SVN">
+ <p><strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947";>
+ CVE-2008-1947</a></p>
+
+ <p>The Host Manager web application did not escape user provided data
before
+ including it in the output. This enabled a XSS attack. This application
+ now filters the data before use. This issue may be mitigated by logging
+ out (closing the browser) of the application once the management tasks
+ have been completed.</p>
+
+ <p>Affects: 5.5.9-5.5.26</p>
+ </section>
+
<section name="Fixed in Apache Tomcat 5.5.26">
<p><strong>low: Session hi-jacking</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333";>
@@ -95,7 +109,7 @@
<p>The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
- attack. These applciations now filter the data before use. This issue
may
+ attack. These applications now filter the data before use. This issue
may
be mitigated by logging out (closing the browser) of the application
once
the management tasks have been completed.</p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=662584&r1=662583&r2=662584&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun 2 14:42:03 2008
@@ -22,6 +22,20 @@
</section>
+ <section name="Fixed in Apache Tomcat 6.0.SVN">
+ <p><strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947";>
+ CVE-2008-1947</a></p>
+
+ <p>The Host Manager web application did not escape user provided data
before
+ including it in the output. This enabled a XSS attack. This application
+ now filters the data before use. This issue may be mitigated by logging
+ out (closing the browser) of the application once the management tasks
+ have been completed.</p>
+
+ <p>Affects: 6.0.0-6.0.16</p>
+ </section>
+
<section name="Fixed in Apache Tomcat 6.0.16">
<p><strong>low: Session hi-jacking</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333";>
@@ -101,7 +115,7 @@
<p>The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
- attack. These applciations now filter the data before use. This issue
may
+ attack. These applications now filter the data before use. This issue
may
be mitigated by logging out (closing the browser) of the application
once
the management tasks have been completed.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
