Quoting the upstream advisory: The calendar application in the examples contains invalid HTML which renders the XSS protection for the time parameter ineffective. An attacker can therefore perform an XSS attack using the time attribute. Mitigation: 6.0.x users should do one of the following: - remove the examples web application - apply this patch http://svn.apache.org/viewvc?rev=750924&view=rev - upgrade to 6.0.19 when released 5.5.x users should do one of the following: - remove the examples web application - apply this patch http://svn.apache.org/viewvc?rev=750928&view=rev - upgrade to 5.5.28 when released 4.1.x users should do one of the following: - remove the examples web application - apply this patch http://svn.apache.org/viewvc?rev=750927&view=rev - upgrade to 4.1.40 when released Example: http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')}); Credit: This issue was discovered by Deniz Cevik. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html
Fixes are located here: http://svn.apache.org/viewvc?rev=750924&view=rev (patch for 6.x) http://svn.apache.org/viewvc?rev=750928&view=rev (patch for 5.x)
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Unlike the errata stated, the RHSA-2009:1164 update did not fix the CVE-2009-0781 flaw. A future update will address this issue.
This issue has been addressed in following products: RHAPS Version 2 for RHEL 4 Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
All children bugs are closed, closing parent bug