the funny part is I hit this issue everytime I assess an application configured with tomcat and was under the impression that it is already a known issue... :)
On 6/19/07, Mark Thomas <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language > header processing > > Severity: > Low (cross-site scripting) > > Vendor: > The Apache Software Foundation > > Versions Affected: > Tomcat 4.0.0 to 4.0.6 > Tomcat 4.1.0 to 4.1.34 > Tomcat 5.0.0 to 5.0.30 > Tomcat 5.5.0 to 5.5.20 > Tomcat 6.0.0 to 6.0.5 > > Description: > Web pages that display the Accept-Language header value sent by the > client are susceptible to a cross-site scripting attack if they assume > the Accept-Language header value conforms to RFC 2616. Under normal > circumstances this would not be possible to exploit, however older > versions of Flash player were known to allow carefully crafted > malicious Flash files to make requests with such custom headers. > Tomcat now ignores invalid values for Accept-Language headers that do > not conform to RFC 2616. > > Mitigation: > 1. Upgrade to fixed version > 2. Escape values obtained from Accept-Language header before use. > > Credit: > This issue was reported by Masato Anzai and Toshiharu Sugiyama. > > References: > http://tomcat.apache.org/security.html > > Mark Thomas > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGdxWMb7IeiTPGAkMRAgDgAJkBG6sVBDP/8yxGrZ7CqvEXPNW1mACgiL8M > CyWgpvE5125qciTSYPJbOgU= > =A84r > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
