Re: Tomcat Vulnerabilities

Mon, 21 May 2001 11:44:20 -0700 

Tomcat 4.0 B5 fixed the following JSP source code vulnerability:

----
JSP Source Exposure Vulnerability:  Previous versions of Tomcat would expose
the source code to a JSP page, on some JDK platforms, when a request URL
like
this was processed:
    http://localhost:8080/examples/jsp/num/numguess.jsp%00
The problem occurs because the null character (%00) causes extension mapping
to fail, so this URL is passed to the default file-serving servlet.  If the
web application is running in an unpacked directory structure, the JDK's
implementation of the File I/O methods is typically written in C, and the C
runtimes will not have any problem treating the null character as a filename
terminator.  Now, Tomcat 4.0 will throw HTTP error 400 (bad request) if you
use invalid characters (including %00) in your request URLs.
----

Justy

----- Original Message -----

> Hi all,
>
> Is there any reported vulnerability of Tomcat I have heard abt source
> code of JSP being exposed on and Win NT OS. But is there something which
> has been put forward for Tomcat on Unix OS. I am using a Tomcat Netscape
> Combination.
>
> Thx
> Sankar
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
>  http://java.sun.com/products/jsp/faq.html
>  http://www.esperanto.org.nz/jsp/jspfaq.html
>  http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>  http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets

Reply via email to