178175 – CVE-2006-0254 tomcat examples XSS

Bug 178175 - CVE-2006-0254 tomcat examples XSS

Summary: CVE-2006-0254 tomcat examples XSS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Application Server
Classification:	Retired
Component:	tomcat
Sub Component:
Version:	2.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Fernando Nasser
QA Contact:
Docs Contact:
URL:
Whiteboard:	reported=20060117,source=cve,public=2...
Depends On:
Blocks:	CVE-2006-0254
TreeView+	depends on / blocked

Reported:	2006-01-18 10:45 UTC by Mark J. Cox
Modified:	2008-01-29 09:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:	RHSA-2006-0161
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-07-11 17:01:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mark J. Cox 2006-01-18 10:45:47 UTC

A new cross-site scripting flaw has been reported in the tomcat jsp examples as
shipped in tomcat5-webapps in Red Hat Application Server.  See

http://issues.apache.org/jira/browse/GERONIMO-1474

This is fixed in upstream svn.

Marking this as moderate severity as users should not be putting examples into
production environments.  I've held off marking it low as the examples ought to
show good practices and our users may copy the bad behaviour.

Note also these issues
http://issues.apache.org/bugzilla/show_bug.cgi?id=32953

Note: We've not looked which of these issues actually affect the tomcat5-webapps
package.

Comment 4 Marcel Holtmann 2006-07-11 17:01:48 UTC

This issue has been fixed upstream with Tomcat version 5.5.12 and the upstream
version is part of errata RHSA-2006:0161.

http://rhn.redhat.com/errata/RHSA-2006-0161.html

Note You need to log in before you can comment on or make changes to this bug.