Dear Apache,
Further to these postings on Bugtraq, could you confirm whether this
directory traversal vulnerability has indeed been fixed in the latest
versions of TomCat.
Kindest regards,
Peter Thomas - Editor - http://www.securitywatch.com
tel +32 (0)16 28 73 14 - fax +32 (0)16 28 7288
Grensstraat 1b - B-3010 Leuven - Belgium
*E-security rule #1: ignorance is never a defense*
-------- Original Message --------
From: [EMAIL PROTECTED] (Jon Stevens)
Subject: Re: CHINANSL Security Advisory(CSA-200108)
Newsgroups: lists.bugtraq
on 3/30/01 11:26 PM, "lovehacker" <[EMAIL PROTECTED]> wrote:
> Topic:
> Tomcat 3.2.1 for win2000 Directory traversal
> Vulnerability
>
> vulnerable:
> Tomcat 3.2.1 for win2000
> maybe for other operating system also.
>
> discussion:
> A security vulnerability has been found in Windows
> NT/2000 systems that have Tomcat 3.2.1
> installed.The
> vulnerability allows remote attackers to access files
> outside the document root directory scope.
>
> exploits:
> http://target:8080/%2e%2e/%2e%2e/%00.jsp
> It is possible to cause the Tomcat server to Listing
> outside the document root directory scope.
>
> solution:
> None
>
> Copyright 2000-2001 CHINANSL. All Rights
> Reserved. Terms of use.
>
> CHINANSL Security Team
> <[EMAIL PROTECTED]>
> CHINANSL INFORMATION TECHNOLOGY CO.,LTD
> (http://www.chinansl.com)
What is with this Copyright stuff?
#1. Please report security issues to [EMAIL PROTECTED] and/or
[EMAIL PROTECTED] first. It seems like that is a common
courtesy.
#2. Please test against the latest Tomcat 4.0 which is 4.0b2. I believe
that
this has already been fixed.
p.s. Your [EMAIL PROTECTED] email address bounces.
-jon
