Apache Tomcat DOS Device Name XSS Network Vulnerability

Summary

The remote Apache Tomcat web server is vulnerable to a cross site scripting issue. Description : Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. By making requests for DOS Device names it is possible to cause Tomcat to throw an exception, allowing XSS attacks, e.g: tomcat-server/COM2.IMG%20src='Javascript:alert(document.domain)' (angle brackets omitted) The exception also reveals the physical path of the Tomcat installation.

Solution

Upgrade to Apache Tomcat v4.1.3 beta or later.

References

http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Adobe ColdFusion Multiple Cross Site Scripting Vulnerabilities
APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability
Adobe ColdFusion HTTP Response Splitting Vulnerability
appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability

Take action and discover your vulnerabilities