Hi "Jon S. Stevens",
Thanks your reply
Today,I download "jakarta-tomcat-4.0-b1.zip" from
http://jakarta.apache.org/.but I can build a special
URL get "jsp" source of Tomcat4.0-b1.
for example:
http://localhost:8080/examples/jsp/snp/snoop%2ejsp
Thanks again.
lovehacker
Copyright 2000-2001 CHINANSL. All Rights
Reserved. Terms of use.
CHINANSL Security Team
<[EMAIL PROTECTED]>
CHINANSL INFORMATION TECHNOLOGY CO.,LTD
(http://www.chinansl.com)
> Dear "lovehacker",
>
> Tomcat 3.0 is an old version and has several
known security holes. That is
> why we recommend that people run the latest
released version which is
> currently 3.1.1 or 3.2.1 (depending on the branch
you are interested).
>
> Also, Tomcat 3.2.2b2 is also available on our
website which fixes the
> recently announced cross site scripting issue.
>
> I would appreciate it if you would test and report
your security holes
> against the released versions and not the old
versions. I see no further
> action necessary unless your hole is also present
in the current code base
> (I suspect that it isn't).
>
> I also may have missed your posting, but giving
advance notice to
> [EMAIL PROTECTED] and/or tomcat-
[EMAIL PROTECTED] would be more
> appropriate than posting to bugtraq first.
>
> thanks,
>
> Jon S. Stevens
> [EMAIL PROTECTED]
> ASF Member
> PMC Member - Jakarta Group
>
> --
> If you come from a Perl or PHP background, JSP is
a way to take
> your pain to new levels. --Anonymous
> <http://jakarta.apache.org/velocity/ymtd/ymtd.html>
>
> on 3/27/01 10:40 PM, "lovehacker"
<[EMAIL PROTECTED]> wrote:
>
> > Topic:
> > Tomcat 3.0 for win2000 Directory traversal
> > Vulnerability
> >
> > vulnerable:
> > Tomcat 3.0 for win2000
> > maybe for other operating system also.
> >
> > discussion:
> > A security vulnerability has been found in
Windows
> > NT/2000 systems that have Tomcat 3.0
installed.The
> > vulnerability allows remote attackers to access
files
> > outside the document root directory scope.
> >
> > exploits:
> > http://target:8080/../../winnt/win.ini%
> > 00examples/jsp/hello.jsp
> > It is possible to cause the Tomcat server to send
> > back the content of win.ini.
> >
> > solution:
> > None
> >
> > Copyright 2000-2001 CHINANSL. All Rights
> > Reserved. Terms of use.
> >
> > CHINANSL Security Team
> > <[EMAIL PROTECTED]>
> > CHINANSL INFORMATION TECHNOLOGY
CO.,LTD
> > (http://www.chinansl.com)
>
>