XSS vulnerability between Apache http server and Tomcat using mod_jk connector

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have run into an XSS security problem between Apache http server and Tomcat using the mod_jk connector. I have my Tomcat version 6.0.16 server running behind an Apache http server 2.0.54 (I have also tested with version 2.2.13 with the same result) using mod_jk version 1.2.28. 

If I send the URL

http://XXX.XXX.XXX.XXX/web/13048/1/-/message_boards/category/20180/%22%3E%3Cscript%3Ealert(6814)%3C/script%3E
to port 8080 (directly to my tomcat), the alert doesn't appear. However, if I send the above URL to port 80 (my Apache http server), I get an alert box.
I've manually put in the ;-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false;-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false
to ensure they are set to false, but I still get the same behavior. I have looked through the possibilities in workers.properties and don't see anything to help stop this problem. Is this a known issue? 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux