XSS vulnerability between Apache http server and Tomcat using mod_jkconnector

I have run into an XSS security problem between Apache http server and
Tomcat using the mod_jk connector. I have my Tomcat version 6.0.16
server running behind an Apache http server 2.0.54 (I have also tested
with version 2.2.13 with the same result) using mod_jk version 1.2.28.

If I send the URL

http://XXX.XXX.XXX.XXX/web/13048/1/-/message_boards/category /20180/%22%3E%3Cscript%3Ealert(6814)%3C/script%3E

to port 8080 (directly to my tomcat), the alert doesn't appear. However,
if I send the above URL to port 80 (my Apache http server), I get an
alert box.

I've manually put in the
;-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=f alse;-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BAC KSLASH=false

to ensure they are set to false, but I still get the same behavior. I
have looked through the possibilities in workers.properties and don't
see anything to help stop this problem. Is this a known issue?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org