On Mon, 11 Dec 2000, Craig R. McClanahan wrote:

> 
> Tomcat 3.2 final has the following security vulnerabilities that have
> subsequently been fixed in the CVS repository:
> * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
>   expose sensitive information (note the double slash after "examples").
> * The "Show Source" custom tag used to display JSP source code can
>   be used to expose sensitive information in WEB-INF.
> 

BTW: I think it should be made clear this is only an issue if you are not
using a webserver, like apache, in front of the Container. A properly
configured apache renders these vulnerabilites moot.

-Nick


Reply via email to