On 17 May 2018 15:46:07 BST, Chris Bonk <bonk.ch...@gmail.com> wrote: >Hello, > >I have a strange issue, I am trying to track down the root cause for an >ancient CVE-2006-1548 > >http://struts.1045723.n5.nabble.com/DO-NOT-REPLY-Bug-38749-New-XSS-vulnerability-in-LookupDispatchAction-td3510079.html > >I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the >html >characters needed to inject the script are properly encoded, what is >the >mechanism for this? I haven't been able to determine why >ServletException >handles the message parameter different between versioning. > >Can anyone point me in the right direction?
Looks like the error handling was rewritten in 4.1.x. http://svn.apache.org/viewvc/tomcat/archive/tc4.1.x/trunk/container/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java?view=log 286679 looks relevant. I'm on my phone so checking further is tricky but I suspect this is one of those grey areas in the spec where it isn't clear if the webapp or the container is responsible for sanitizing the data. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
