Paul Sundling
Cox, Charlie wrote:
did you change any mime-mappings in conf/web.xml? could you have a "jsp " in there somewhere defining it as text?
-----Original Message----- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat?
Ok guys,
What could I have turned on that would have allowed this bug to happen?
I can make it happen in both tomcat and tomcat through apache. (Most
recent of both) I can provide a site where it DOES happen so you guys
can see what is happening.
-----Original Message--------------------------------------------------------------------------
From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a thought that I
had.
I do not have this problem 4.1.24 on Win2k
Charlie
-----Original Message----- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat?
Charlie, How do you fix this within apache?
-----Original Message-----file as text?
From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
do you have apache on the front end and are you only mapping *.jsp where
*.jsp%20 is not a match and apache would then serve the
Charlie
-----Original Message----- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat?
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole whenrunning tomcat.
I'm not sure how widespread it is, but my linux server issafe, yet my
windows XP, tomcat 4.1.24 is vulnerable.source code
I found that if you append %20 to a jsp page it shows the
instead of displaying the page:index.jsp>
http://192.168.1.54:8080/index.jsp <shows page as expected>
http://192.168.1.54:8080/index.jsp%20 <shows source code of
So how widespread is this?
Paul Sundling
---------------------------------------------------------------------[EMAIL PROTECTED]To unsubscribe, e-mail:
[EMAIL PROTECTED]For additional commands, e-mail:
---------------------------------------------------------------------[EMAIL PROTECTED]To unsubscribe, e-mail:
[EMAIL PROTECTED]For additional commands, e-mail:
[EMAIL PROTECTED]To unsubscribe, e-mail:
---------------------------------------------------------------------[EMAIL PROTECTED]For additional commands, e-mail:
[EMAIL PROTECTED]To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]