SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

XSS in Tomcat cookies example


Arrow  SecurityAlert : 2971
Arrow  CVE : CVE-2007-3384
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : Tomasz Kuczynski
Arrow  Published : 08.08.2007

Arrow  Affected Software :
The Apache Software Foundation
Tomcat
3.3 to 3.3.2



Arrow  Advisory Content :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-3384: XSS in Tomcat cookies example

Severity:
Low (Cross-site scripting)

Vendor:
The Apache Software Foundation

Versions Affected:
3.3 to 3.3.2

Description:
When reporting error messages, Tomcat does not filter user supplied
data before display. This enables an XSS attack.

Mitigation:
Remove examples web application.
Apply patch available from http://tomcat.apache.org/download-33.cgi

Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.

Example:
http://localhost:8080/examples/servlet/CookieExample
populate Name or Value field with:
<script>alert('XSS reflected');</script>
and submit.

References:
http://tomcat.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGsU0Vb7IeiTPGAkMRAoiwAJ4iETiZnDPLKM0v69YZ/FaIhGS8GwCgt+ux
FB0O3FigwHs+A8pP98+gRiA=
=VePF
-----END PGP SIGNATURE-----





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server

Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability

PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)

ADT

Protect your family and valuables with Home Security Systems

Copyright © SecurityReason.com. All Rights Reserved.