Hello,

Due to the increased volume of SPAM this mailbox has been closed.

Please contact us via http://www.directxtras.com/ContactUS.asp

We apology for the inconvenience.

Best Regards,
--
The DirectXtras Team
---------------------------------------------------------------------
DirectXtras - Xtra Power for Director and Authorware -
              http://www.directxtras.com
Sites with something to say - http://www.SpeaksForItself.com
---------------------------------------------------------------------


Your message reads:

Received: from mail.apache.org (unverified [208.185.179.12]) by mail2.intermedia.net
 (Rockliffe SMTPRA 4.5.6) with SMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>;
 Fri, 16 Apr 2004 03:09:54 -0700
Received: (qmail 87620 invoked by uid 500); 16 Apr 2004 10:09:31 -0000
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Delivered-To: mailing list [EMAIL PROTECTED]
Received: (qmail 87603 invoked from network); 16 Apr 2004 10:09:31 -0000
Received: from unknown (HELO loninmrp0.uk.db.com) (160.83.52.97)
  by daedalus.apache.org with SMTP; 16 Apr 2004 10:09:31 -0000
Received: from sdbo1003.db.com by loninmrp0.uk.db.com 
         id i3GA9hKt031914; Fri, 16 Apr 2004 11:09:44 +0100
Subject: single percent sign in a parameter causes an exception report detailing
 tomcat version 
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
X-Mailer: Lotus Notes Release 5.0.8  June 18, 2001
Message-ID: <[EMAIL PROTECTED]>
From: "David Cassidy" <[EMAIL PROTECTED]>
Date: Fri, 16 Apr 2004 11:09:42 +0100
X-MIMETrack: Serialize by Router on sdbo1003/DMGUK/DeuBaInt/DeuBa(5012HF499 | November
 14, 2003) at 16/04/2004 11:09:47 AM
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Guys,

We've had a pen test done on one of the apps we look after and they an issue which I'd
like a little guidance on ...

(Accept that these guys are specifically sending iffy requests to cause the system to 
break or detail
what versions of the code is being used to provide ways of hacking in ..)

If you have a page that does
request.getParameter("paramName")
and you specify

page.jsp?paramName=%

The result is an exception report that details what version of tomcat you are running
(I've tried this with 4.1.29 and it does make a wonderful exception report!)

Anyone seen this before ?
Anyone got a fix ?


Thanks

David




--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to