On Mon, 11 Dec 2000, Craig R. McClanahan wrote: > > Tomcat 3.2 final has the following security vulnerabilities that have > subsequently been fixed in the CVS repository: > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can > expose sensitive information (note the double slash after "examples"). > * The "Show Source" custom tag used to display JSP source code can > be used to expose sensitive information in WEB-INF. > BTW: I think it should be made clear this is only an issue if you are not using a webserver, like apache, in front of the Container. A properly configured apache renders these vulnerabilites moot. -Nick
- [SECURITY] Security Vulnerabilities in Tomcat 3.1 and ... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Remy Maucherat
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Hans Bergsten
- Re: [SECURITY] Security Vulnerabilities in To... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities i... Jon Stevens
- [PATCH] Jakarta site release page (was: [SECU... Kief Morris
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Jon Stevens
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Nick Bauman
- Re: [SECURITY] Security Vulnerabilities in To... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Glenn Nielsen
- Re: [SECURITY] Security Vulnerabilities in To... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities i... Glenn Nielsen
- RE: [SECURITY] Security Vulnerabilities in Tomcat... Larry Isaacs
- RE: [SECURITY] Security Vulnerabilities in Tomcat... GOMEZ Henri
- RE: [SECURITY] Security Vulnerabilities in Tomcat... Brett Bergquist
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Arieh Markel