Nick Bauman wrote: > On Mon, 11 Dec 2000, Craig R. McClanahan wrote: > > > > > Tomcat 3.2 final has the following security vulnerabilities that have > > subsequently been fixed in the CVS repository: > > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can > > expose sensitive information (note the double slash after "examples"). > > * The "Show Source" custom tag used to display JSP source code can > > be used to expose sensitive information in WEB-INF. > > > > BTW: I think it should be made clear this is only an issue if you are not > using a webserver, like apache, in front of the Container. A properly > configured apache renders these vulnerabilites moot. > I suppose that depends on the definition of "properly configured". The standard config files we generate for Apache would not protect all of the cases, although it would catch some of them. > > -Nick Craig
- [SECURITY] Security Vulnerabilities in Tomcat 3.1 and ... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Remy Maucherat
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Hans Bergsten
- Re: [SECURITY] Security Vulnerabilities in To... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities i... Jon Stevens
- [PATCH] Jakarta site release page (was: [SECU... Kief Morris
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Jon Stevens
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Nick Bauman
- Re: [SECURITY] Security Vulnerabilities in To... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Glenn Nielsen
- Re: [SECURITY] Security Vulnerabilities in To... Craig R. McClanahan
- Re: [SECURITY] Security Vulnerabilities i... Glenn Nielsen
- RE: [SECURITY] Security Vulnerabilities in Tomcat... Larry Isaacs
- RE: [SECURITY] Security Vulnerabilities in Tomcat... GOMEZ Henri
- RE: [SECURITY] Security Vulnerabilities in Tomcat... Brett Bergquist
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Arieh Markel
- Re: [SECURITY] Security Vulnerabilities in Tomcat... Mike Anderson
