Re: XSS vulnerability in Tomcat Host Header

2009-07-23 Thread David Fisher
On Jul 23, 2009, at 4:00 AM, Mark Thomas wrote: Konstantin Kolinko wrote: 2009/7/22 Rémy Maucherat : On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas wrote: You'll need to provide more details. Nothing stands out from the security pages. Please provide step by step instructions to reproduce f

Re: XSS vulnerability in Tomcat Host Header

2009-07-23 Thread Mark Thomas
Konstantin Kolinko wrote: > 2009/7/22 Rémy Maucherat : >> On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas wrote: >>> You'll need to provide more details. Nothing stands out from the security >>> pages. >>> >>> Please provide step by step instructions to reproduce from a clean Tomcat >>> installation.

Re: XSS vulnerability in Tomcat Host Header

2009-07-23 Thread Leon Rosenberg
So, it was a hoax? :-) Leon On Wed, Jul 22, 2009 at 3:30 PM, Konstantin Kolinko wrote: > 2009/7/22 Rémy Maucherat : >> On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas wrote: >>> You'll need to provide more details. Nothing stands out from the security >>> pages. >>> >>> Please provide step by step

Re: XSS vulnerability in Tomcat Host Header

2009-07-22 Thread Konstantin Kolinko
2009/7/22 Rémy Maucherat : > On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas wrote: >> You'll need to provide more details. Nothing stands out from the security >> pages. >> >> Please provide step by step instructions to reproduce from a clean Tomcat >> installation. >> >> Please also note that poten

Re: XSS vulnerability in Tomcat Host Header

2009-07-22 Thread Rémy Maucherat
On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas wrote: > You'll need to provide more details. Nothing stands out from the security > pages. > > Please provide step by step instructions to reproduce from a clean Tomcat > installation. > > Please also note that potential security vulnerabilities should

Re: XSS vulnerability in Tomcat Host Header

2009-07-22 Thread Mark Thomas
pankaj jairath wrote: > Hello, > > I am using Tomcat 6.0.18 and have hit XSS issue, where in tweaked Host > header containing XSS is processed by the server. I suppose some > validation check should be done on the Host value to prevent such an > attack. > > Appreciate any inputs are to whether t

XSS vulnerability in Tomcat Host Header

2009-07-22 Thread pankaj jairath
Hello, I am using Tomcat 6.0.18 and have hit XSS issue, where in tweaked Host header containing XSS is processed by the server. I suppose some validation check should be done on the Host value to prevent such an attack. Appreciate any inputs are to whether this issue has been fixed ?. regar