> From: Aditi Sinha [mailto:adisinha0...@gmail.com] > Subject: Need help to understand CVE-2007-0450
> We have a web server hosted on Tomcat 7.0.22. > The tool was able to access the Tomcat manager application with the > following URL : > http://localhost:8080/scripts/\../manager/html > As per Tomcat security documents the issue is not present in Tomcat 7. > Is there anything wrong in our web application deployment? As documented here: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 there are two Java system properties that control behavior of Tomcat with regard to such URLs. Make sure neither is enabled. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org