Dear "lovehacker", Tomcat 3.0 is an old version and has several known security holes. That is why we recommend that people run the latest released version which is currently 3.1.1 or 3.2.1 (depending on the branch you are interested). Also, Tomcat 3.2.2b2 is also available on our website which fixes the recently announced cross site scripting issue. I would appreciate it if you would test and report your security holes against the released versions and not the old versions. I see no further action necessary unless your hole is also present in the current code base (I suspect that it isn't). I also may have missed your posting, but giving advance notice to [EMAIL PROTECTED] and/or [EMAIL PROTECTED] would be more appropriate than posting to bugtraq first. thanks, Jon S. Stevens [EMAIL PROTECTED] ASF Member PMC Member - Jakarta Group -- If you come from a Perl or PHP background, JSP is a way to take your pain to new levels. --Anonymous <http://jakarta.apache.org/velocity/ymtd/ymtd.html> on 3/27/01 10:40 PM, "lovehacker" <[EMAIL PROTECTED]> wrote: > Topic: > Tomcat 3.0 for win2000 Directory traversal > Vulnerability > > vulnerable: > Tomcat 3.0 for win2000 > maybe for other operating system also. > > discussion: > A security vulnerability has been found in Windows > NT/2000 systems that have Tomcat 3.0 installed.The > vulnerability allows remote attackers to access files > outside the document root directory scope. > > exploits: > http://target:8080/../../winnt/win.ini% > 00examples/jsp/hello.jsp > It is possible to cause the Tomcat server to send > back the content of win.ini. > > solution: > None > > Copyright 2000-2001 CHINANSL. All Rights > Reserved. Terms of use. > > CHINANSL Security Team > <[EMAIL PROTECTED]> > CHINANSL INFORMATION TECHNOLOGY CO.,LTD > (http://www.chinansl.com)
