t Users List
> Subject: Re: security hole on windows tomcat?
>
>
>
> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>
> John
>
> Paul Sundling("Webdaddy") wrote:
>
> > I came across what appears to be a security hole when
> runn
sorry, that should be http://localhost:8080/john/test.jsp%20 = 404
No Apache is involved.
John
John Turner wrote:
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
, 2003 13:28
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Interesting.
WinXP
Tomcat 4.1.24
http://localhost:8080/examples/jsp/num/numguess.jsp%20
I get the source.
-e
On Mon, 11 Aug 2003, John Turner wrote:
>
> Let's see the Tomcat-only link.
>
> John
Cox, Charlie [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 12:40 PM
> > To: 'Tomcat Users List'
> > Subject: RE: security hole on windows tomcat?
> >
> >
> > can you turn on debug for the defaultservlet - set it to 99
> > in conf/
I also cannot see this on Windows 2000, or on NetWare, using Tomcat
4.1.18, 4.1.24, or 4.1.26. On NetWare I tried going through Apache and
through 8080, on Windows port 8080.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.nov
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2 /
workers2.properties issue. But I'm pretty sure that others have seen
this going directly to port 8080.
We probably need to
gt; Subject: RE: security hole on windows tomcat?
>
>
> Charlie,
> How do you fix this within apache?
>
> > -Original Message-
> > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 10:15 AM
> > To: 'Tomcat Users Lis
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
which operating system?
Paul
John Turner wrote:
Appending "%20" to my Tomcat 4.1.1x URLs ge
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if
I just saw this with 4.1.24 on win2k as well. EXTREMELY disturbing!
> -Original Message-
> From: Mikko Hämäläinen [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 8:18 AM
> To: Tomcat Users List
> Subject: Re: security hole on windows tomcat?
>
>
> H
lso include the JDK (vendor and version).
It's not impossible that this might be a JDK problem.
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 6:41 PM
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
OS version
Direc
: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems
iginal Message-
> >>From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> >>Sent: Monday, August 11, 2003 12:07 PM
> >>To: 'Tomcat Users List'
> >>Subject: RE: security hole on windows tomcat?
> >>
> >>
> >>sorr
I think you should also include the JDK (vendor and version).
It's not impossible that this might be a JDK problem.
> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 12, 2003 6:41 PM
> To: [EMAIL PROTECTED]
> Subject: RE: secu
02 PM
>To: Tomcat Users List
>Subject: Re: security hole on windows tomcat?
>
>
>Red Hat Linux.
>
>I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
>minutes ago, .exe install, installed as service).
>
>http://localhost/john/test.jsp%20 = 404
>
>John
; can see what is happening.
>
> > -Original Message-
> > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 12:07 PM
> > To: 'Tomcat Users List'
> > Subject: RE: security hole on windows tomcat?
> >
> >
>
OTECTED]
>> Sent: Monday, August 11, 2003 12:40 PM
>> To: 'Tomcat Users List'
>> Subject: RE: security hole on windows tomcat?
>>
>>
>> can you turn on debug for the defaultservlet - set it to 99
>> in conf/web.xml
>> and post the log.
>&
What about your 4.1.2X URLS? Like the current release. I have the
latest apache serving to 4.1.27 and I CAN see the jsp code!
> -Original Message-
> From: John Turner [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 9:22 AM
> To: Tomcat Users List
> Subject: Re
Nope, but this mime mapping exists.
jspf
text/plain
> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:15 PM
> To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
&
ort 80 - pages return fine without the %20
suffix,
always return http 404 with the suffix.
Murray
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confus
ginal Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have this problem
Mr. Sundling:
i'm running tomcat 4.1.27 and that does not appear to be an issue. I used
"http://localhost:8080/jweb/left.jsp%20"; as my url.
-Original Message-
From: Spam Email [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 10, 2003 4:18 PM
To: [EMAIL PROTECTED]
Subject: security hole on
ie
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 9:22 AM
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
Hi,
I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that
with Tomcat 4.0.1 on Redhat and it was ok too..
- Original Message -
From: "Paul Sundling("Webdaddy")" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, August 10, 2003 7:00 AM
Subject: security hole on w
:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2 /
workers2.properties issue. But I'm pretty sure
s Solutions
>>http://www.novell.com
>>
>>
>>
>>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
>>>>>
>>>>>
>>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost
via
>>either port 8080 or po
which operating system?
Paul
John Turner wrote:
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet
my window
gt; suffix,
> always return http 404 with the suffix.
>
> Murray
> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 13 August 2003 02:41
> To: [EMAIL PROTECTED]
> Subject: RE: security hole on windows tomcat?
>
>
> So this issue i
fwiw,
windows server 2003 standard edition
j2sdk 1.4.2
jakarta-tomcat-4.1.27-LE-jdk14 zip (not exe)
http://localhost:8080/examples/jsp/num/numguess.jsp%20 problem appeared in
opera 7.11
viewed page in ie 6 and got 404
subsequently got 404 in opera
flicked around other samples in opera and saw sim
of both) I can provide a site where it DOES happen so you guys
> >>>can see what is happening.
> >>>
> >>>
> >>>
> >>>>-Original Message-
> >>>>From: Cox, Charlie [mailto:[EMAIL PROTEC
To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
>
>
> can you turn on debug for the defaultservlet - set it to 99
> in conf/web.xml
> and post the log.
>
> > -Original Message-
> > From: Angus Mezick [mailto:[EMAIL PROTE
sorry, I overlooked where you mentioned it was the default install.
please post a link
Charlie
> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:15 PM
> To: 'Tomcat Users List'
> Subject: RE: securi
Can't replicate your problem, tried both linux and win2k
Version of tomcat is the same as yours.
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.
you
> have a "jsp " in
> >there somewhere defining it as text?
> >
> >
> >
> >>-Original Message-
> >>From: Angus Mezick [mailto:[EMAIL PROTECTED]
> >>Sent: Monday, August 11, 2003 12:15 PM
> >>To: Tomcat Users Li
can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml
and post the log.
> -Original Message-
> From: Angus Mezick [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:39 PM
> To: Tomcat Users List
> Subject: RE: security hole on windows tomca
lto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Ok guys,
What could I have turned on that would have allowed this bug
to happen?
I can make it happen in both tomcat and tomcat through apache. (Most
recent of both) I c
at is happening.
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
Charlie,
How do you fix this within apache?
> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 10:15 AM
> To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
>
>
> do you have a
m: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:07 PM
> To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
>
>
> sorry, I don't know - I don't use Apache. This was just a
> thought that I
> had.
>
>
Search the archives - I think this a JDK 1.4.2 related bug.
-Tim
Asaf Barkan wrote:
The syndrome is that when typing:
http://myurl:8080/myfile.jsp%20
http://myurl:8080/myfile.jsp%20
The JSP code is delivered to the client.
I have checked this on the followed platforms:
Win2k server (SP3)
JRE
40 matches
Mail list logo