+++ This bug was initially created as a clone of Bug #178175 +++ A new cross-site scripting flaw has been reported in the tomcat jsp examples as shipped in tomcat5-webapps in Red Hat Application Server. See http://issues.apache.org/jira/browse/GERONIMO-1474 This is fixed in upstream svn. Marking this as moderate severity as users should not be putting examples into production environments. I've held off marking it low as the examples ought to show good practices and our users may copy the bad behaviour. Note also these issues http://issues.apache.org/bugzilla/show_bug.cgi?id=32953 Note: We've not looked which of these issues actually affect the tomcat5-webapps package.
Ping. Any plans to update this package in the near future?
The package has been updated with a patch that modifies the examples to properly filter and encode any variables before outputting them as HTML.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0592.html