Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix.
Murray -----Original Message----- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat ("8080") or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/12/03 6:02:55 AM >>> can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
