Ladies and Gentlemen:
One of our customers did a security audit on the Tomcat server we
maintain on their system, and it found a few issues:
First, it found a cross-site scripting vulnerability.
Second, it found the HTTP DELETE method enabled.
Third, it found a click-jacking vulnerability.
Fourth, it found the HTTP OPTIONS method enabled.
Back in October, the click-jacking vulnerability came up on another
customer box; I've found the thread, and just now set up the filter and
filter-mapping in conf/web.xml, so that is hopefully taken care of in
the next restart.
But I have no idea what to do about the cross-site scripting
vulnerability, or the DELETE and OPTIONS methods, and I'm having trouble
understanding the materials I've found.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
