Has anyone on tomcat-dev been able to reproduce these problems using Tomcat
3.2.x? I've been trying to reproduce the error using 3.2.1, 3.2.2b2 and
even 3.1.1. So far I always get a 404. I've never been able to get
directory listing or JSP source.
The beta 2 time period is just about over. With the exception of this
reported security problem, no critical bugs have been found during this beta
cycle. I plan to call the final release vote soon, but I want to make sure
this securiy problem isn't real before I do that.
> -------- Original Message --------
> From: [EMAIL PROTECTED] (Jon Stevens)
> Subject: Re: CHINANSL Security Advisory(CSA-200108)
> Newsgroups: lists.bugtraq
>
> on 3/30/01 11:26 PM, "lovehacker" <[EMAIL PROTECTED]> wrote:
>
> > Topic:
> > Tomcat 3.2.1 for win2000 Directory traversal
> > Vulnerability
> >
> > vulnerable:
> > Tomcat 3.2.1 for win2000
> > maybe for other operating system also.
> >
> > discussion:
> > A security vulnerability has been found in Windows
> > NT/2000 systems that have Tomcat 3.2.1
> > installed.The
> > vulnerability allows remote attackers to access files
> > outside the document root directory scope.
> >
> > exploits:
> > http://target:8080/%2e%2e/%2e%2e/%00.jsp
> > It is possible to cause the Tomcat server to Listing
> > outside the document root directory scope.
> >
> > solution:
> > None
> >
> > Copyright 2000-2001 CHINANSL. All Rights
> > Reserved. Terms of use.
> >
> > CHINANSL Security Team
> > <[EMAIL PROTECTED]>
> > CHINANSL INFORMATION TECHNOLOGY CO.,LTD
> > (http://www.chinansl.com)
>
> What is with this Copyright stuff?
>
> #1. Please report security issues to [EMAIL PROTECTED] and/or
> [EMAIL PROTECTED] first. It seems like that is a common
> courtesy.
>
> #2. Please test against the latest Tomcat 4.0 which is 4.0b2. I believe
> that
> this has already been fixed.
>
> p.s. Your [EMAIL PROTECTED] email address bounces.
>
> -jon
