Howdy,
You are making sure to clean your browser's cache between each test,
right?

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: Angus Mezick [mailto:[EMAIL PROTECTED]
>Sent: Monday, August 11, 2003 12:56 PM
>To: Tomcat Users List
>Subject: RE: security hole on windows tomcat?
>
>ARGH! This has gone to just being an apache problem.  Tomcat seems to
>have self corrected.  I am very confused but will keep looking.  Apache
>still does it though.
>
>> -----Original Message-----
>> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
>> Sent: Monday, August 11, 2003 12:40 PM
>> To: 'Tomcat Users List'
>> Subject: RE: security hole on windows tomcat?
>>
>>
>> can you turn on debug for the defaultservlet - set it to 99
>> in conf/web.xml
>> and post the log.
>>
>> > -----Original Message-----
>> > From: Angus Mezick [mailto:[EMAIL PROTECTED]
>> > Sent: Monday, August 11, 2003 12:39 PM
>> > To: Tomcat Users List
>> > Subject: RE: security hole on windows tomcat?
>> >
>> >
>> > Nope, but this mime mapping exists.
>> >     <mime-mapping>
>> >         <extension>jspf</extension>
>> >         <mime-type>text/plain</mime-type>
>> >     </mime-mapping>
>> >
>> > > -----Original Message-----
>> > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
>> > > Sent: Monday, August 11, 2003 12:15 PM
>> > > To: 'Tomcat Users List'
>> > > Subject: RE: security hole on windows tomcat?
>> > >
>> > >
>> > > did you change any mime-mappings in conf/web.xml? could you
>> > > have a "jsp " in
>> > > there somewhere defining it as text?
>> > >
>> > > > -----Original Message-----
>> > > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
>> > > > Sent: Monday, August 11, 2003 12:15 PM
>> > > > To: Tomcat Users List
>> > > > Subject: RE: security hole on windows tomcat?
>> > > >
>> > > >
>> > > > Ok guys,
>> > > > What could I have turned on that would have allowed this bug
>> > > > to happen?
>> > > > I can make it happen in both tomcat and tomcat through
>> > > apache.  (Most
>> > > > recent of both)  I can provide a site where it DOES happen
>> > > so you guys
>> > > > can see what is happening.
>> > > >
>> > > > > -----Original Message-----
>> > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
>> > > > > Sent: Monday, August 11, 2003 12:07 PM
>> > > > > To: 'Tomcat Users List'
>> > > > > Subject: RE: security hole on windows tomcat?
>> > > > >
>> > > > >
>> > > > > sorry, I don't know - I don't use Apache. This was just a
>> > > > > thought that I
>> > > > > had.
>> > > > >
>> > > > > I do not have this problem 4.1.24 on Win2k
>> > > > >
>> > > > > Charlie
>> > > > >
>> > > > > > -----Original Message-----
>> > > > > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
>> > > > > > Sent: Monday, August 11, 2003 11:49 AM
>> > > > > > To: Tomcat Users List
>> > > > > > Subject: RE: security hole on windows tomcat?
>> > > > > >
>> > > > > >
>> > > > > > Charlie,
>> > > > > > How do you fix this within apache?
>> > > > > >
>> > > > > > > -----Original Message-----
>> > > > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
>> > > > > > > Sent: Monday, August 11, 2003 10:15 AM
>> > > > > > > To: 'Tomcat Users List'
>> > > > > > > Subject: RE: security hole on windows tomcat?
>> > > > > > >
>> > > > > > >
>> > > > > > > do you have apache on the front end and are you
>> > only mapping
>> > > > > > > *.jsp where
>> > > > > > > *.jsp%20 is not a match and apache would then serve the
>> > > > > > file as text?
>> > > > > > >
>> > > > > > > Charlie
>> > > > > > >
>> > > > > > > > -----Original Message-----
>> > > > > > > > From: John Turner [mailto:[EMAIL PROTECTED]
>> > > > > > > > Sent: Monday, August 11, 2003 9:22 AM
>> > > > > > > > To: Tomcat Users List
>> > > > > > > > Subject: Re: security hole on windows tomcat?
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > Appending "%20" to my Tomcat 4.1.1x URLs
>> generates a 404.
>> > > > > > > >
>> > > > > > > > John
>> > > > > > > >
>> > > > > > > > Paul Sundling("Webdaddy") wrote:
>> > > > > > > >
>> > > > > > > > > I came across what appears to be a security hole when
>> > > > > > > > running tomcat.
>> > > > > > > > > I'm not sure how widespread it is, but my linux
>> > server is
>> > > > > > > > safe, yet my
>> > > > > > > > > windows XP, tomcat 4.1.24 is vulnerable.
>> > > > > > > > >
>> > > > > > > > > I found that if you append %20 to a jsp page it
>> > shows the
>> > > > > > > > source code
>> > > > > > > > > instead of displaying the page:
>> > > > > > > > >
>> > > > > > > > > http://192.168.1.54:8080/index.jsp  <shows page
>> > > as expected>
>> > > > > > > > > http://192.168.1.54:8080/index.jsp%20 <shows
>> > > source code of
>> > > > > > > > index.jsp>
>> > > > > > > > >
>> > > > > > > > > So how widespread is this?
>> > > > > > > > >
>> > > > > > > > > Paul Sundling
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> ---------------------------------------------------------------------
>> > > > > > > > > To unsubscribe, e-mail:
>> > > > > > [EMAIL PROTECTED]
>> > > > > > > > > For additional commands, e-mail:
>> > > > > > > [EMAIL PROTECTED]
>> > > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> ---------------------------------------------------------------------
>> > > > > > > > To unsubscribe, e-mail:
>> > > > > [EMAIL PROTECTED]
>> > > > > > > > For additional commands, e-mail:
>> > > > > > [EMAIL PROTECTED]
>> > > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> ---------------------------------------------------------------------
>> > > > > > > To unsubscribe, e-mail:
>> > > > [EMAIL PROTECTED]
>> > > > > > > For additional commands, e-mail:
>> > > > > [EMAIL PROTECTED]
>> > > > > > >
>> > > > > > >
>> > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> ---------------------------------------------------------------------
>> > > > > > To unsubscribe, e-mail:
>> > > [EMAIL PROTECTED]
>> > > > > > For additional commands, e-mail:
>> > > > [EMAIL PROTECTED]
>> > > > > >
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>> ---------------------------------------------------------------------
>> > > > > To unsubscribe, e-mail:
>> > [EMAIL PROTECTED]
>> > > > > For additional commands, e-mail:
>> > > [EMAIL PROTECTED]
>> > > > >
>> > > > >
>> > > >
>> > > >
>> > >
>> >
>> ---------------------------------------------------------------------
>> > > > To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> > > > For additional commands, e-mail:
>> > [EMAIL PROTECTED]
>> > > >
>> > >
>> > >
>> >
>> ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail:
[EMAIL PROTECTED]
>> > > For additional commands, e-mail:
>> [EMAIL PROTECTED]
>> > >
>> > >
>> >
>> >
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > For additional commands, e-mail:
[EMAIL PROTECTED]
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to