> > > Tomcat 3.2 final has the following security vulnerabilities that have
> > > subsequently been fixed in the CVS repository:
> > > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> > >   expose sensitive information (note the double slash after "examples").
> > > * The "Show Source" custom tag used to display JSP source code can
> > >   be used to expose sensitive information in WEB-INF.
> > >


I was not privi to a few of the  original  posts regarding this.

Is the vulnerability only exposed if one can access the tomcat
port directly?  So if I blocked all access to say  port 9090 (where my
tomcat port is) from any foreign machines, then it is safe?

Or is the vulnerability exposed even when accessing tomcat via 
apache port 80?

-- 
Freddie  Mendoza             
[EMAIL PROTECTED]

Reply via email to