I notice the "more..." at the end of that... do you have the more by chance?
Cross-site scripting (CSS) vulnerabilities are, generally-speaking,
concerned with situations where a server-side process generates HTML
dynamically and there is a possibility of input data that has not been
scrubed of certain "dangerous" characters (i.e., <>()%, etc.) being
inserted into the generated code. Proper crafting of such input data
can result in code being executed as trusted when it clearly should not be.
(As amazing as it seems, I found the following page from Microsoft, of
all sources!, to be a good explanation of the problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;252985)
As such, a tool that says a server is an enabling vector for such a
vulnerability is not being especially helpful because virtually *any*
server-side code that doesn't deal with such characters is potentially
an "enabling vector". If it narrows down the location of the apparent
vulnerability, i.e., specified a path it tested maybe, it might point at
something legitimately of concern. If it's just saying "Hey, Tomcat
could be used to craft a CSS hack", well, yes, it COULD, but then so
could *anything* server-side that generates HTML!
(Ironically, I spent most of today dealing with a servlet filter written
by another team at my company that deals with cross-site scripting
vulnerabilities, but which seems to have some unexpected side-effects,
so I had to get up to speed on CSS vulnerabilities in a hurry!)
Frank
Narses Barona wrote:
Our security tool produces the following warning against Tomcat 4.1.29 :
[HTTP/8080/TCP] Server is an enabling vector for cross-site scripting
exposure in clients [trace-1]. More...
I seached the mailing list and found several references to cross-site
scripting. Based on the information, I am lead to believe that the
problem is not with the product, but with the examples or some other
non-critical piece of code. I have removed the
jakarta-tomcat-4.1.29/webapps/examples directory and its' content, but
the problem persists. Is there some other file/directory that needs
to be removed to fix this problem? I noticed one reference to a
SnoopServlet, but can't find any file by that name.
Narses Barona
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
.
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
