CERT-In Vulnerability Note CIVN-2007-94
Apache Tomcat SendMailServlet Cross Site Scripting Vulnerability
Original Issue Date: August 06, 2007
Severity Rating: Medium
Systems Affected
• Apache Tomcat versions 4.0.0 to 4.0.6
• Apache Tomcat versions 4.1.0 to 4.1.36
Overview
A Vulnerability has been reported in Apache Tomcat SendMailServlet that could be exploited by an attacker to execute arbitrary scripting code. Apache Tomcat SendMailServlet is an example application.
Description
The vulnerability exists due to an input validation error in the SendMailServlet module while processing user supplied data. This vulnerability could be exploited by a remote attacker to execute arbitrary scripting code by using user's browser in the security context of an affected website.
Workaround
This vulnerability can be addressed by removing the "examples" web application.
Vendor Information
Apache Tomcat
http://tomcat.apache.org/security-4.html
References
US-CERT
http://www.kb.cert.org/vuls/id/862600
Frsirt
http://www.frsirt.com/english/advisories/2007/2618
Securityfocus
http://www.securityfocus.com/bid/24999/info
CVE Name
CVE-2007-3383
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
