lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4D4CB07E.9010206@apache.org>
Date: Sat, 05 Feb 2011 02:05:50 +0000
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>
Cc: Tomcat Developers List <dev@...cat.apache.org>,
	announce@...cat.apache.org, announce@...che.org,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2011-0013 Apache Tomcat Manager XSS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-0013 Apache Tomcat Manager XSS vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.5
- - Tomcat 6.0.0 to 6.0.29
- - Tomcat 5.5.0 to 5.5.31
- - Earlier, unsupported versions may also be affected

Description:
The HTML Manager interface displayed web applciation provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administartive user when viewing the
manager pages.

Example:
<display-name>&lt;script&gt;alert('hi');&lt;/script&gt;</display-name>

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Undeploy untrusted web applications
- - Remove the Manager application

Credit:
The issue was identified by the Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNTLB+AAoJEBDAHFovYFnnul0P/iupVkfHFjgIN5rkDHVoArfU
MkIcm5GMCqb1d0th8JmEtoFlI09sTJdGwyUbiC4hnuj/lA+BJuW/wDSzM2esfXGX
okraVm1SI6eI5DceQf/QzPZ9FIq3Z8mqixzBX959aQY1+JnW3Ah4vIYvZpaKpyi+
BMIj0JtIVEVNajAnUYQn9ruZg9FFX+t1Ajb6n+CJV3D4ux7XMGLFv2y5XPwVwJXm
AP/0jAHoMbjaRMwHrUxgkIDMpwpOcHFIfFq7zHjo9OTtL2LJ+vrB3FlxV6rZygMt
gwPeDeUoCCphrf1UncUzckW280/WGfsr3xncNEOpCG3o6xQkRV8eoGNikw5xZ2U8
YxLr4RdpJemUhx94jDYiMdT/gYyHbMfHtVsG3VObFp2yEjnLHU7HI6tI3C617nau
Czg1Z/YqnUvZfGDQDL5bXkF6dlWav9CmXuXht7gS3yskkYIJPJn0oZhAYweznK+v
Ua3jqNvsVktsGd76UtRh246Js6ie4EYmusZ3LqJQmsbkoPxkcAFuHCkZqVBR37SF
tt9yI7qUAb+022L+EGQkmjfcy0O9e4WKMXwf5ocywSDVAJH2/EuGTY1vAojHqGNO
hM88fdKus3Vfvj4vqzkAH+4LpdpPmK80xl+KxSJMBg+cWYLe6OGYEL7FbdoswcRv
cNZcMy4fbYmWPQkY+miZ
=sDwq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ