I have this mostly fixed in my local source for Tomcat 3.3.2, but have not yet committed the changes to CVS. The changes will be present when Tomcat 3.3.2 releases.
Note that the security vulnerability is not in the server itself, but in the examples webapp and the SnoopServlet in the ROOT webapp. Removal of these eliminates the vulnerability. For details, see the "Important Security Note" at: <http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/bin/> It includes a link to an explanation of what "cross-site scripting" is for those who are curious. Cheers, Larry -----Original Message----- From: Ramkumar Krishnan [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 9:35 AM To: Tomcat Users List Subject: Cross-site scripting!!!.. Hi All, There is a security hole in tomcat 3.3.1a related to cross-site scripting. Please tell me if this bug is fixed?..If so which version of tomcat contains the fix for this problem?.. thanks, Ramkumar --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]