Charlie, How do you fix this within apache? > -----Original Message----- > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > Sent: Monday, August 11, 2003 10:15 AM > To: 'Tomcat Users List' > Subject: RE: security hole on windows tomcat? > > > do you have apache on the front end and are you only mapping > *.jsp where > *.jsp%20 is not a match and apache would then serve the file as text? > > Charlie > > > -----Original Message----- > > From: John Turner [mailto:[EMAIL PROTECTED] > > Sent: Monday, August 11, 2003 9:22 AM > > To: Tomcat Users List > > Subject: Re: security hole on windows tomcat? > > > > > > > > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404. > > > > John > > > > Paul Sundling("Webdaddy") wrote: > > > > > I came across what appears to be a security hole when > > running tomcat. > > > I'm not sure how widespread it is, but my linux server is > > safe, yet my > > > windows XP, tomcat 4.1.24 is vulnerable. > > > > > > I found that if you append %20 to a jsp page it shows the > > source code > > > instead of displaying the page: > > > > > > http://192.168.1.54:8080/index.jsp <shows page as expected> > > > http://192.168.1.54:8080/index.jsp%20 <shows source code of > > index.jsp> > > > > > > So how widespread is this? > > > > > > Paul Sundling > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]