If things are configured properly, web users won't be able to see
anything outside your app hierarchy, so something clearly isn't set up
properly.
On 4/18/2013 9:14 AM, Wen Liu wrote:
Howdy,
I have a issue with Tomcat security, please find the spec below:
Server version: Apache Tomcat/6.0.35
Server built: Nov 28 2011 11:20:06
Server number: 6.0.35.0
OS Name: SunOS
OS Version: 5.10
Architecture: x86
JVM Version: 1.6.0_33-b03
JVM Vendor: Sun Microsystems Inc.
For the problematic server, all files on the server are exposed to all users through
http://<masterservice_IP>:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../<location_of_the_file>
i.e. open Chrome, give
http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages
and press enter to see the server system log..
It happens with any browsers..
I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a
service config issue.. Can someone please have a look?..
Please let me know if any further info required..
Thanks& Regards,
Wen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
