| /// File Name: | MDVSA-2008-188.txt | Description:
| Mandriva Linux Security Advisory - A number of vulnerabilities have been discovered in the Apache Tomcat server. The default catalina.policy in the JULI logging component did not restrict certain permissions for web applications which could allow a remote attacker to modify logging configuration options and overwrite arbitrary files. A cross-site scripting vulnerability was found in the HttpServletResponse.sendError() method which could allow a remote attacker to inject arbitrary web script or HTML via forged HTTP headers. A cross-site scripting vulnerability was found in the host manager application that could allow a remote attacker to inject arbitrary web script or HTML via the hostname parameter. A traversal vulnerability was found when using a RequestDispatcher in combination with a servlet or JSP that could allow a remote attacker to utilize a specially-crafted request parameter to access protected web resources. A traversal vulnerability was found when the 'allowLinking' and 'URIencoding' settings were actived which could allow a remote attacker to use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process. The updated packages have been patched to correct these issues. | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 8691 | | Related CVE(s): | CVE-2007-5342, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938 | | Last Modified: | Sep 5 20:23:13 2008 | | MD5 Checksum: | fa0a6a8003587117a6311ddf437cc6f1 |
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
