Bug 48577

Summary: vulnerability in DefaultServlet
Product: Tomcat 6 Reporter: naviton
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major    
Priority: P2    
Version: 6.0.20   
Target Milestone: default   
Hardware: All   
OS: All   

Description naviton 2010-01-20 03:14:11 UTC 
when you try to import an inexisting page with js fragments in url parameters like

http://.../page.jsp?paramName="<script>alert('BT_XSS')</script>">&param2=2...
the following content is inserted into response:
"The requested resource ({URL ABOVE}) is not available."
the content is not encoded so js code from url is being executed

i think DefaultServlet should do smth like

response.getWriter().write(sm.getString("defaultServlet.missingResource",
  urlEncoder.encode(requestUri)));
but html- or xml- encoding might be better
Comment 1 Mark Thomas 2010-02-02 10:03:23 UTC 
I wouldn't class this as a vulnerability as it requires both a bug (missing page) in the app and the app to pass on request parameters to the included page without validating them.

Regardless, I have added HTML filtering so the output isn't corrupted.
Comment 2 Mark Thomas 2010-02-22 21:02:20 UTC 
This has been fixed in 6.0.x and will be included in 6.0.25 onwards.
Comment 3 Konstantin Kolinko 2010-03-03 17:25:59 UTC 
Fixed in 5.5 in r918592, will be in 5.5.29 onwards.