can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log.
> -----Original Message----- > From: Paul Sundling [mailto:[EMAIL PROTECTED] > Sent: Monday, August 11, 2003 8:43 PM > To: Tomcat Users List > Subject: Re: security hole on windows tomcat? > > > I never changed the mime-mapping when I installed it. I run tomcat > manually or as a manual service. When I tried running tomcat as an > automatic service, it had trouble. The only changes I made were in > configs specific to webapps. The problem is present on the > unmodified > examples webapp. The only two jars I added in the SDK were the JDBC > drivers for postrgres and mysql. > > Paul Sundling > > Cox, Charlie wrote: > > >did you change any mime-mappings in conf/web.xml? could you > have a "jsp " in > >there somewhere defining it as text? > > > > > > > >>-----Original Message----- > >>From: Angus Mezick [mailto:[EMAIL PROTECTED] > >>Sent: Monday, August 11, 2003 12:15 PM > >>To: Tomcat Users List > >>Subject: RE: security hole on windows tomcat? > >> > >> > >>Ok guys, > >>What could I have turned on that would have allowed this bug > >>to happen? > >>I can make it happen in both tomcat and tomcat through > apache. (Most > >>recent of both) I can provide a site where it DOES happen > so you guys > >>can see what is happening. > >> > >> > >> > >>>-----Original Message----- > >>>From: Cox, Charlie [mailto:[EMAIL PROTECTED] > >>>Sent: Monday, August 11, 2003 12:07 PM > >>>To: 'Tomcat Users List' > >>>Subject: RE: security hole on windows tomcat? > >>> > >>> > >>>sorry, I don't know - I don't use Apache. This was just a > >>>thought that I > >>>had. > >>> > >>>I do not have this problem 4.1.24 on Win2k > >>> > >>>Charlie > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: Angus Mezick [mailto:[EMAIL PROTECTED] > >>>>Sent: Monday, August 11, 2003 11:49 AM > >>>>To: Tomcat Users List > >>>>Subject: RE: security hole on windows tomcat? > >>>> > >>>> > >>>>Charlie, > >>>>How do you fix this within apache? > >>>> > >>>> > >>>> > >>>>>-----Original Message----- > >>>>>From: Cox, Charlie [mailto:[EMAIL PROTECTED] > >>>>>Sent: Monday, August 11, 2003 10:15 AM > >>>>>To: 'Tomcat Users List' > >>>>>Subject: RE: security hole on windows tomcat? > >>>>> > >>>>> > >>>>>do you have apache on the front end and are you only mapping > >>>>>*.jsp where > >>>>>*.jsp%20 is not a match and apache would then serve the > >>>>> > >>>>> > >>>>file as text? > >>>> > >>>> > >>>>>Charlie > >>>>> > >>>>> > >>>>> > >>>>>>-----Original Message----- > >>>>>>From: John Turner [mailto:[EMAIL PROTECTED] > >>>>>>Sent: Monday, August 11, 2003 9:22 AM > >>>>>>To: Tomcat Users List > >>>>>>Subject: Re: security hole on windows tomcat? > >>>>>> > >>>>>> > >>>>>> > >>>>>>Appending "%20" to my Tomcat 4.1.1x URLs generates a 404. > >>>>>> > >>>>>>John > >>>>>> > >>>>>>Paul Sundling("Webdaddy") wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>I came across what appears to be a security hole when > >>>>>>> > >>>>>>> > >>>>>>running tomcat. > >>>>>> > >>>>>> > >>>>>>>I'm not sure how widespread it is, but my linux server is > >>>>>>> > >>>>>>> > >>>>>>safe, yet my > >>>>>> > >>>>>> > >>>>>>>windows XP, tomcat 4.1.24 is vulnerable. > >>>>>>> > >>>>>>>I found that if you append %20 to a jsp page it shows the > >>>>>>> > >>>>>>> > >>>>>>source code > >>>>>> > >>>>>> > >>>>>>>instead of displaying the page: > >>>>>>> > >>>>>>>http://192.168.1.54:8080/index.jsp <shows page as expected> > >>>>>>>http://192.168.1.54:8080/index.jsp%20 <shows source code of > >>>>>>> > >>>>>>> > >>>>>>index.jsp> > >>>>>> > >>>>>> > >>>>>>>So how widespread is this? > >>>>>>> > >>>>>>>Paul Sundling > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>------------------------------------------------------------ > --------- > >> > >> > >>>>>>>To unsubscribe, e-mail: > >>>>>>> > >>>>>>> > >>>>[EMAIL PROTECTED] > >>>> > >>>> > >>>>>>>For additional commands, e-mail: > >>>>>>> > >>>>>>> > >>>>>[EMAIL PROTECTED] > >>>>> > >>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>------------------------------------------------------------ > --------- > >> > >> > >>>>>>To unsubscribe, e-mail: > >>>>>> > >>>>>> > >>>[EMAIL PROTECTED] > >>> > >>> > >>>>>>For additional commands, e-mail: > >>>>>> > >>>>>> > >>>>[EMAIL PROTECTED] > >>>> > >>>> > >>>>> > >>>>> > >>------------------------------------------------------------ > --------- > >> > >> > >>>>>To unsubscribe, e-mail: > >>>>> > >>>>> > >>[EMAIL PROTECTED] > >> > >> > >>>>>For additional commands, e-mail: > >>>>> > >>>>> > >>>[EMAIL PROTECTED] > >>> > >>> > >>>>> > >>>>> > >>>> > >>>> > >>------------------------------------------------------------ > --------- > >> > >> > >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>For additional commands, e-mail: > >>>> > >>>> > >>[EMAIL PROTECTED] > >> > >> > >>> > >>> > >>------------------------------------------------------------ > --------- > >> > >> > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: > [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >>------------------------------------------------------------ > --------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]