-Dsun.io.useCanonCaches=false
Can someone try it and let me know if it change something. If this is not working, then point me to a very simple test case and I will file a new bugtraq bug.
-- Jeanfrancois
Eric J. Pinnell wrote:
I think at this point this might be a worthwile canidate for Sun's bugparade. At least get it on their radars (if they don't know about it already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. When 1.4.2 was released 4.1.24 was the latest stable build.
Regardless the JDK/appserver/whatever should never puke it's guts and spit out the source code when it gets a request it doesn't know how to deal with. Upon failure it should result in some kind of error. Sun might care about this...
-e
On Tue, 12 Aug 2003, Jeff Tulley wrote:
It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my "poll" in my email below. :)
I'm trying to verify this on other OS's and track down what the actual problem is.
But, if you run Tomcat on JVM 1.4.2, verify if you have this problem.
Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com
[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix.
Murray -----Original Message----- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll:
If you have seen this security problem of being able to view JSP source, in what scenario(s)?
Tomcat version OS version Directly to Tomcat ("8080") or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen
If you have seen this in multiple scenarios, and not in others, please list each separately.
I have NOT seen it in the following scenarios:
Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20
Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20
Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...)
It would be really good to get to the bottom of this!
Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com
[EMAIL PROTECTED] 8/12/03 6:02:55 AM >>>
can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
