CVE-2009-0781: Apache Tomcat cross-site scripting vulnerability Severity: low Versions Affected: Tomcat 6.0.0 to 6.0.18 Tomcat 5.5.0 to 5.5.27 Description: The calendar application in the examples contains invalid HTML which renders the XSS protection for the time parameter ineffective. An attacker can therefore perform an XSS attack using the time attribute. Example: http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')}); Credit: This issue was discovered by Deniz Cevik. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html submitting Patches to 6/5.5-r6 in [java-experimental] Thanks, weisso Reproducible: Always
submitted as revision 7597 in [java-experimental] Thanks, weisso
+*tomcat-6.0.18-r3 (06 Mar 2009) +*tomcat-5.5.27-r3 (06 Mar 2009) + + 06 Mar 2009; Petteri Räty <betelgeuse@gentoo.org> + +files/5.5/examples-cal.patch, +files/6/examples-cal.patch, + +tomcat-5.5.27-r3.ebuild, +tomcat-6.0.18-r3.ebuild: + Add patch for XSS issue in examples for security bug #261460. Use use deps + in 5.5. +
Arches, please test and mark stable: =www-servers/tomcat-6.0.18-r3 =www-servers/tomcat-5.5.27-r3 Target keywords : "amd64 ppc ppc64 x86"
amd64/x86 stable
ppc64 done
CVE-2009-0781 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0781): Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."
ppc done
Ready for GLSA voting, I say NO.
NO too, closing.
