-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-1232: Apache Tomcat XSS vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument. Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should obtain the latest source from svn or apply this patch which will be included from 5.5.27 http://svn.apache.org/viewvc?rev=680947&view=rev 4.1.x users should obtain the latest source from svn or apply this patch which will be included from 4.1.38 http://svn.apache.org/viewvc?rev=680947&view=rev (connector only) http://svn.apache.org/viewvc?rev=680948&view=rev Example: <%@page contentType="text/html"%> <% ~ // some unicode characters, that result in CRLF being printed ~ final String CRLF = "\u010D\u010A"; ~ final String payload = CRLF + CRLF + "