On 29/10/18 11:29, Yoli Mana wrote: > Hi All, > > Looking at the description of the below vulnerability. It is not clear to > me if this is only relevant to those who use Tomcat for serving static > files (since they are talking about directory redirection). > If our Tomcat instance is used only to serve dynamic content, is the > vulnerability is relevant to us?
If your application does not make use of Tomcat's default servlet then you will not be affected by this vulnerability. You would need to check the servlet mappings for the application to determine if Tomcat's default servlet would be used to respond to any requests. Mark > > Thanks, > > When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, > 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory > (e.g. redirecting to '/foo/' when the user requested '/foo') a specially > crafted URL could be used to cause the redirect to be generated to any URI > of the attackers choice. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
