“CERT Advisory CA-2000-02 (Malicious Scripting Tags Embedded
in Client Web Requests) discusses how malicious scripts can be
introduced into dynamically generated web pages based on
unvalidated input from untrustworthy sources (typically web
browsers). Most of the advisory addresses issues concerning
browsers and web site developers. The portion of the advisory that
concerns web servers has to do with dynamically generated pages
that the web server may install by default.”
“Java Web Server ships with some example servlets and CGI
scripts that dynamically generate content and could potentially be
exploited because they echo portions of the URL that invoked them
back to the browser. The core functionality of Java Web Server is
secure — it is only the examples that need to be addressed.”
“While only a couple of the examples could be exploited we have
always recommended that all examples and unnecessary servlets be
disabled before deploying Java Web Server into a production
environment.”