Bug 48577

Summary: vulnerability in DefaultServlet
Product: Tomcat 6 Reporter: naviton
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: major    
Priority: P2    
Version: 6.0.20   
Target Milestone: default   
Hardware: All   
OS: All   

Description naviton 2010-01-20 03:14:11 UTC
when you try to import an inexisting page with js fragments in url parameters like

the following content is inserted into response:
"The requested resource ({URL ABOVE}) is not available."
the content is not encoded so js code from url is being executed

i think DefaultServlet should do smth like

but html- or xml- encoding might be better
Comment 1 Mark Thomas 2010-02-02 10:03:23 UTC
I wouldn't class this as a vulnerability as it requires both a bug (missing page) in the app and the app to pass on request parameters to the included page without validating them.

Regardless, I have added HTML filtering so the output isn't corrupted.
Comment 2 Mark Thomas 2010-02-22 21:02:20 UTC
This has been fixed in 6.0.x and will be included in 6.0.25 onwards.
Comment 3 Konstantin Kolinko 2010-03-03 17:25:59 UTC
Fixed in 5.5 in r918592, will be in 5.5.29 onwards.