Hi mpryor,

sure, regarding:

Web Server Vulnerable to Cross-Site Scripting Attacks

THREAT:

Your Web server does not filter script embedding from links displayed on a server's Web site.

A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon

clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded script is executed in

the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated from

another site entirely).

IMPACT:

By exploiting this vulnerability, malicious scripts can be executed in the client's browser.

SOLUTION:

Any Web server may be affected by this vulnerablity. To prevent cross-site scripting attacks from occuring, web developers should use static pages whenever

possible and sanitize input / output.

The following vendors provided a patches at the web server level. See below for a list of patches for some specific Web servers. If this information does not apply

to your Web server, contact your Web server vendor. If your web server does not support filtering please have your web developers resolve this issue at the

application level.

This issue is fixed in Sun ONE / iPlanet Web Server 4.1 Service Pack 12 and above. The latest service pack is available for download from Sun ONE Web Server

Enterprise Edition 4.1 Service Pack 13 (http://wwws.sun.com/software/download/products/3f8472da.html).

For Microsoft IIS Web server, apply the cumulative patch described in Microsoft Security Bulletin MS02-018

(http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx). No additional service packs are planned for Windows NT 4.0. IIS 5.0 fixes will be included

in Windows 2000 Service Pack 3. IIS 5.1 fixes will be included in Windows XP Service Pack 1.

Lotus Domino had this issue with Domino R5 Web server. Check the Lotus advisory SPR# JCHN4V2HUY

().

For IBM Websphere, please refer to websphere-faultactor-xss (30055) (http://xforce.iss.net/xforce/xfdb/30055).

Any updates here? Our security team doesn't want to allow VDM through the firewall because of these vulnerabilities... so it's put VDI at a bit of a standstill.

it has been three months now, and still no offical reply from VMware regarding this vunerability

Tom Howarth

VMware Communities User Moderator

Thanks for the ping Tom, I'd lost track of this thread. VDM 2.1.1, which was released at the end of October 2008, has upgraded the included version of Tomcat to 5.5.26. Several customers have reported that their static analysis tools no longer return warnings against the updated version.