Bug report #664 has just been filed. You can view the report at the following URL: <http://znutar.cortexity.com/BugRatViewer/ShowReport/664> REPORT #664 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical Confidence: public Environment: Release: 3.2 JVM Release: all Operating System: all OS Release: all Platform: all Synopsis: additional undoc'd security flaw at least in 3.2 Description: I've recently downloaded 3.2.1 but have not installed it. I've noticed however that it only annotates the //WEB-INF bug but does not explain that the same bug can be used to bypass security for at least html documents. It does not seem to be the case with servlets as they are not matched against //something. Again this is in 3.2 I haven't tested yet in 3.2.1. (thats later on today)Title: BugRat Report # 664
BugRat Report # 664
| Project: Tomcat | Release: 3.2 |
| Category: Bug Report | SubCategory: New Bug Report |
| Class: swbug | State: received |
| Priority: high | Severity: critical |
|
Confidence:
public
|
Submitter:
Andrew Oliver ( [EMAIL PROTECTED] )
Date Submitted:
Dec 26 2000, 07:51:39 CST
Responsible:
Z_Tomcat Alias ( [EMAIL PROTECTED] )
- Synopsis:
- additional undoc'd security flaw at least in 3.2
- Environment: (jvm, os, osrel, platform)
- all, all, all, all
- Additional Environment Description:
- i don't think this is specific to any one enviroment, but I'm on solaris 2.7 with java 1.3.
- Report Description:
- I've recently downloaded 3.2.1 but have not installed it. I've noticed however that it only annotates the //WEB-INF bug but does not explain that the same bug can be used to bypass security for at least html documents. It does not seem to be the case with servlets as they are not matched against //something. Again this is in 3.2 I haven't tested yet in 3.2.1. (thats later on today)
- How To Reproduce:
- null
