I also cannot see this on Windows 2000, or on NetWare, using Tomcat 4.1.18, 4.1.24, or 4.1.26. On NetWare I tried going through Apache and through 8080, on Windows port 8080.
Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/11/03 10:01:47 AM >>> Red Hat Linux. I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30 minutes ago, .exe install, installed as service). http://localhost/john/test.jsp%20 = 404 John Paul Sundling wrote: > which operating system? > > Paul > > John Turner wrote: > >> >> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404. >> >> John >> >> Paul Sundling("Webdaddy") wrote: >> >>> I came across what appears to be a security hole when running tomcat. >>> I'm not sure how widespread it is, but my linux server is safe, yet >>> my windows XP, tomcat 4.1.24 is vulnerable. >>> >>> I found that if you append %20 to a jsp page it shows the source code >>> instead of displaying the page: >>> >>> http://192.168.1.54:8080/index.jsp <shows page as expected> >>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp> >>> >>> So how widespread is this? >>> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]