Heads up Tomcatters ... Richard
Remy Maucherat wrote: > After additional review, it has been discovered that the security bug fixed > in Tomcat 4.0.3 was more severe than originally though, and can be used to > remotely browse the server filesystem. > > To exploit this bug, an attacker would require that some user modifiable > data (like a form POST data, or a URL) is directly used by a servlet or JSP > in a request dispatcher forward or include. > > It can be hard to determine if an installation of Tomcat is vulnerable to > this exploit, as it depends on the web applications installed. > IMPORTANT NOTE: The default Tomcat installation is NOT vulnerable to this > bug. > > Because of this, it is HIGHLY recommended that all Tomcat 4.0.x users > either: > - Apply the binary patch which is available at > http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi > x/ Note: This particular patch can be applied on all official 4.0.x releases > (including 4.0, 4.0.1 and 4.0.2). > - Upgrade to Tomcat 4.0.3. > - Upgrade to Tomcat 4.0.4 Beta 1. > > Bugzilla report on this problem: > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772 > > Remy > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>