Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
Mark Thomas wrote: What mitigations are you thinking of? The description is intended to be sufficient for a user to determine if they match the vulnerability conditions. And this for this notice I believe it meets this criteria. In this case there is no way of configuring yourself away from the vulnerability. If you use a RequestDispatcher, you are vulnerable. My mistake, I understood that if the user was strictly using ISO-8859-1 encoding they were not vulnerable. But I might have missed a few posts in the backchannel, as I was away teaching all week. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
William A. Rowe, Jr. wrote: Mark Thomas wrote: Description: When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.18 Stupid question, perhaps, but why weren't mitigations published with this advisory? In general we want people to simply adopt the current version, but if they don't match the vulnerability conditions (or are willing to configure themselves away from them), this should not disrupt the active installations. What mitigations are you thinking of? The description is intended to be sufficient for a user to determine if they match the vulnerability conditions. And this for this notice I believe it meets this criteria. In this case there is no way of configuring yourself away from the vulnerability. If you use a RequestDispatcher, you are vulnerable. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
Mark Thomas wrote: Description: When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.18 Stupid question, perhaps, but why weren't mitigations published with this advisory? In general we want people to simply adopt the current version, but if they don't match the vulnerability conditions (or are willing to configure themselves away from them), this should not disrupt the active installations. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
