The JSP examples web application displays does not escape some user provided data before including it in the output. This enables a XSS attack. Reproducible: Always Steps to Reproduce: 1. Undeploy the examples web application(s). Example: http://host:port/jsp-examples/snp/snoop.jsp;<script>alert()</script>test.jsp
Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.36 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.24 Tomcat 6.0.0 to 6.0.13
java please advise.
We do not enable the examples USE flag by default. So by default they are not installed. Really only people new to Tomcat will set and use that flag. I would be surprised if many using it in production or an env where it's likely to be exploited have the examples USE flag set. There is also an exploit in the manager app http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2450 But that requires log in to exploit. Being as how upstream nor us provides a default log in. That's also a pretty far off exploit. I guess like upstream we can deem both to be low severity. Not sure if we need to do anything specific. Other than announce it and warn users. Guess we could disable examples USE flag as an extreme. I can add pkg_postinst messages warning when examples is set. Manager webapp is likely used more often.
I guess a small warning in the ebuild output should be enough.
Ok I added a warning to pkg_postinst about both exploits. Also provided links to both so users can be informed. Should be good to go there. Just need an announcement or etc, then security can close bug per normal procedures.
This one is ready for GLSA decision. I vote NO.
I also vote NO.
