Cross Site Scripting (XSS) with Jakarta Tomcat.

Alessandro A. Garbagnati

The XSS vulnerability has been found at the time Tomcat 4.0.3 has been released (and 4.1.2 was in beta). The problem was connected to the fact that it was possible to run some specific classes simply using the /servlet/ mapping.
The Jakarta group that is working on Tomcat has immediately found a solution to the problem.

The simple, but working solution, was to comment the /servlet/ mapping from the default web application descriptor (web.xml), located under the $TOMCAT_HOME/conf. This has been done sinc 4.1.3 beta.
A developer can still uncomment the /servlet/ mapping, but on a standard installation, that mapping is not available.

Personal note: To be honest, I think that this is also a good choice for writing clearer web application.