On a related topic, security bugs should be reported privately by email to [EMAIL PROTECTED]
If this had been a real issue it would have been nice to be able to get the patch out there before it was announced on a public list ;)
Mark
Mike Curwen wrote:
hmm.. that would be _this_ old chestnut... (a little eager on the send, sorry.)
http://shh.thathost.com/secadv/2001-03-29-tomcat.txt
This particular exploit was fixed a long time ago (wasn't it?)
Mike Curwen
-----Original Message-----
From: Norris Shelton [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 16, 2005 9:27 AM
To: Tomcat
Subject: percent 0008 exploit
A co-worker that supports a federal sight just got an e-mail from their admins indicating that his site is exposing jsp source code when they appent %0008 to the end of their URLs. The view source shows his exact pages.
He is using Tomcat 4.1.30 and JDK 1.4.2_05
I tired it on my servers (TC 4.1.30 and JDK 1.4.2_06). Is this a JRE vulnerability?
=====
Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
