HomePentest-Tools.com Logo

Apache Tomcat /servlet Cross Site Scripting CVE-2002-0682

Severity
Not available
CVSSv3 Score
Not available
Vulnerability description

The remote Apache Tomcat web server is vulnerable to a cross site scripting issue.

Risk description

By using the /servlet/ mapping to invoke various servlets / classes it is possible to cause Tomcat to throw an exception, allowing XSS attacks, e.g: tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.ContainerServlet/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.Context/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.Globals/SCRIPTalert(document.domain)/SCRIPT (angle brackets omitted)

Recommendation

The invoker servlet (mapped to /servlet/), which executes anonymous servlet classes that have not been defined in a web.xml file should be unmapped. The entry for this can be found in the /tomcat-install-dir/conf/web.xml file.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Jul 23, 2002
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available