Howdy, Fixed in the latest stable releases, upgrade and test for yourself.
Yoav Shapira Millennium Research Informatics >-----Original Message----- >From: Rui Lopes [mailto:[EMAIL PROTECTED] >Sent: Monday, April 05, 2004 11:05 AM >To: [EMAIL PROTECTED] >Subject: Cross-site scripting vulnerability > >Hi, > >Running the Nikto security tool on Tomcat 4.1 produces a warning that it >is vulnerable to cross-site scripting attacks. This is the URL it gives > >https://<server >IP>:443/666%0a%0a<script>alert('Vulnerable');</script>666.jsp > >I edited the the server IP above. I found a reference to this at > >http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0482.html > >but no solution was provided. Does anybody know anything more about >this, especially how to fix it? > >I am using Tomcat 4.1.24 > >Rui. > >-- >(c) Copyright 2004 Verano Inc. owns copyright content of this document and >all attachments unless otherwise indicated. All rights reserved. Users of >Verano Inc. software and tools associated with the software such as sales & >marketing collateral, presentations, user manuals, training documentation >etc. may not republish nor reproduce in whole or in part the information, >in any form or by any means, in any manner whatsoever without the prior >written permission of Verano Inc., and any such unauthorized use >constitutes copyright infringement. An acknowledgement of the source must >be included whenever Verano Inc. material is copied or published. If you >require further information on a permitted use or license to reproduce or >republish any material, address your inquiry to Verano Inc.Suite 120, 575 >West Street, Mansfield, Massachusetts, 02048-1164. Any infringement of >Verano Inc. rights will result in appropriate legal action. Verano Inc. >disclaims any and all liability for any consequences which may result from >any unauthorized reproduction or use of this Work whatsoever. > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]