Hi.
I'm using Jakarta Tomcat 3.2.2 with Apache 1.3.20 / mod_jk (Linux)
and I have some security-related questions:
1) I've read 3.2.3 is the latest available version for 3.2.x branch
and that it covers a security issue. What's about this security issue
and where could I read more about this issue? Could it be the
"2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability"
(http://www.securityfocus.com/vdb/bottom.html?vid=2982)?
2) Is there any patch or is it planned a future release to cover the
"2001-08-16: Jakarta Tomcat 3.2.1 Error Message Information Disclosure
Vulnerability" issue?
(http://www.securityfocus.com/vdb/bottom.html?vid=3199)
3) The following is a security issue I'm experiencing. It may be a
configuration error made by myself or perhaps some bug? I need some
help. Let's suppose you have a working .jsp page:
http://www.foo.com/bar/home.jsp. Then if you use the following url the
.jsp source is showed instead of beeing executed by Tomcat:
http://www.foo.com/\bar/home.jsp. This is the way I'm using to mount
the context (excerpt from mod_jk.conf file):
Alias /bar /usr/local/tomcat/webapps/bar
JkMount /bar/*.jsp ajp13
JkMount /bar/*.xml ajp13
JkMount /bar/servlet/* ajp13
<Location /bar/WEB-INF/ >
AllowOverride None
deny from all
</Location>
<Location "/bar/META-INF/">
AllowOverride None
deny from all
</Location>
Am I missing something or the \ trick is a bug? Any workaround?
Thanks in advance!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
** RoMaN SoFt / LLFB **
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
