Tomcat 4.0.3 does not set the content-type for error messages, so exceptions are displayed as text/plain instead of text/html when viewed through mod_webapp (the default configuration for SH4). This is http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6468 and was fixed in Tomcat 4.0.4.
Note that this bug neatly makes SH4 invulnerable to the cross-site scripting attack detailed in http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt. This must obviously be remedied before we fix this bug.
The advisory mentioned above has been classified as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0682.
Even without the above bug Stronghold isn't vulnerable to the exploit in the default configuration, but it is vulnerable if the user enables the Tomcat-Standalone service.
Created attachment 77007 [details] Script to check vulnerability
Note that stronghold-tomcat-4.0.3-2 (at least as we ship it) was never vulnerable to the fourth test.
I was wrong when I said Stronghold is only vulnerable if the user enables the Tomcat-Standalone service. Replace 'http://localhost:8080/' with 'http://ServerName/stronghold/examples/java/' in the attached test script, for example.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2002-218.html