So be sure to mention operating system. I was only able to recreate it on windows, not on linux.
Paul Sundling
Cox, Charlie wrote:
do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text?
Charlie
-----Original Message----- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat?
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole whenrunning tomcat.
I'm not sure how widespread it is, but my linux server issafe, yet my
windows XP, tomcat 4.1.24 is vulnerable.source code
I found that if you append %20 to a jsp page it shows the
instead of displaying the page:index.jsp>
http://192.168.1.54:8080/index.jsp <shows page as expected>
http://192.168.1.54:8080/index.jsp%20 <shows source code of
So how widespread is this?---------------------------------------------------------------------
Paul Sundling
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]