Re: Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Apache Tomcat/4.1.31 ships with built in examples. One of the example calendar.jsp suffers from input validation error and could be exploited for cross site scriptingand cross site request forgery. This is CVE-2006-7196 which is fixed in 4.1.32 5.5.16. Kind regards, Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG3finb7IeiTPGAkMRApxAAJ9sMCfco8GUEe9LcqbcA+5GE0AKCQCgsEG+ nH4eUojS1ccH9YKtma/GtQU= =3NtA -END PGP SIGNATURE-
Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
Apache Tomcat/4.1.31 ships with built in examples. One of the example calendar.jsp suffers from input validation error and could be exploited for cross site scriptingand cross site request forgery. XSS http://myserver:myport/examples/jsp/cal/cal2.jsp?time=8am%3cscript%3ealert(XSS!)%3c%2fscript%3e XSRF http://myserver:myport/examples/jsp/cal/cal2.jsp?time=img%20src=http://xsrfxonfirmed.com/testimage.gif; - Tushar Vartak