Jakarta Tomcat 4.1 cross-site scripting vulnerability, which was reported last year, is not yet resolved.
http://www.securityfocus.com/archive/82/288502/2002-08-16/2002-08-22/0
I verified this vulnerability on Tomcat 4.1.27 with Coyote HTTP/1.1 connector.
http://localhost:8080/666%0a%0a<script>alert("asdf");</script>666.jsp
On the other hand, on Tomcat 5.0, it was not reproduced. Do you neglect to resolve it to Tomcat 4.x, Tomcat committers?
Regards,
-- Kan Ogawa [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]