Howdy, Same here, tomcat 4.1.27 on win2k pro, installed from the zip file not as a service, and started via startup.bat, no problems.
Yoav Shapira Millennium ChemInformatics >-----Original Message----- >From: John Turner [mailto:[EMAIL PROTECTED] >Sent: Monday, August 11, 2003 12:02 PM >To: Tomcat Users List >Subject: Re: security hole on windows tomcat? > > >Red Hat Linux. > >I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30 >minutes ago, .exe install, installed as service). > >http://localhost/john/test.jsp%20 = 404 > >John > >Paul Sundling wrote: > >> which operating system? >> >> Paul >> >> John Turner wrote: >> >>> >>> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404. >>> >>> John >>> >>> Paul Sundling("Webdaddy") wrote: >>> >>>> I came across what appears to be a security hole when running tomcat. >>>> I'm not sure how widespread it is, but my linux server is safe, yet >>>> my windows XP, tomcat 4.1.24 is vulnerable. >>>> >>>> I found that if you append %20 to a jsp page it shows the source code >>>> instead of displaying the page: >>>> >>>> http://192.168.1.54:8080/index.jsp <shows page as expected> >>>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp> >>>> >>>> So how widespread is this? >>>> >>>> Paul Sundling >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]