AOH :: HP Unsorted H :: TB12074.HTM

Host Manager XSS



CVE-2007-3386: XSS in Host Manager
CVE-2007-3386: XSS in Host Manager



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-3386: XSS in Host Manager

Severity:
Low (Cross-site scripting)

Vendor:
The Apache Software Foundation

Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24

Description:
The Host Manager Servlet does not filter user supplied data before
display. This enables an XSS attack.

Mitigation:
Log out (close browser) of the Host Manager application once admin
tasks are complete
Upgrade to 6.0.14

Credit:
This issue was discovered by the NTT OSS CENTER who worked with the
JPCERT/CC to report the vulnerability.

Example:
action="http://localhost:8080/host-manager/html/add" method="get">
References: http://tomcat.apache.org/security.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwSFyb7IeiTPGAkMRAlgMAKCe0hS+c6so9pxK3KfN7LggWv+3uQCfUsAg 95+vMfHDJlrKHP/yKUZ0SYc=1pQc -----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.