Apache Tomcat hello.jsp XSS
Description
The hello.jsp file, included as part of Apache Tomcat's default documentation bundle, contains multiple cross-site scripting (XSS) vulnerabilities. This sample application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject malicious scripts. This vulnerability affects Tomcat installations where the documentation and example applications have not been removed from production servers.
Remediation
Remove all Apache Tomcat documentation, examples, and sample applications from production servers immediately. Follow these steps:
1. Delete the following directories from your Tomcat installation:
$CATALINA_HOME/webapps/docs $CATALINA_HOME/webapps/examples $CATALINA_HOME/webapps/host-manager $CATALINA_HOME/webapps/manager (if not required)
2. Verify removal by checking that these applications are no longer accessible via HTTP requests
3. If you must retain documentation for development environments, ensure these servers are:
• Not accessible from the public internet
• Protected by network segmentation and firewall rules
• Clearly labeled as non-production systems
4. Review your deployment process to ensure documentation and examples are excluded from production deployments by default
As a general security practice, never deploy sample applications, default credentials, or vendor documentation to production environments.