Re: Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Tue, 04 Sep 2007 20:30:31 -0400
Cc: tusharvartak@xxxxxxxxxxx
In-reply-to: <20070904030044.22274.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070904030044.22274.qmail@xxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tusharvartak@xxxxxxxxxxx wrote:
> Apache Tomcat/4.1.31 ships with built in examples. One of the example 
> calendar.jsp suffers from input validation error and could be exploited for 
> cross site scriptingand cross site request forgery.

This is CVE-2006-7196 which is fixed in 4.1.32 & 5.5.16.

Kind regards,

Mark

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG3finb7IeiTPGAkMRApxAAJ9sMCfco8GUEe9LcqbcA+5GE0AKCQCgsEG+
nH4eUojS1ccH9YKtma/GtQU=
=3NtA
-----END PGP SIGNATURE-----

References:
- Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
  - From: tusharvartak

Prev by Date: Digital Armaments 2007 September-October Hacking Challenge: Symbian
Next by Date: [USN-511-1] Kerberos vulnerability
Previous by thread: Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
Next by thread: [security bulletin] HPSBUX02153 SSRT061181 rev.5 - HP-UX Running Firefox, Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS)
Index(es):
- Date
- Thread