still makes a nasty mess on your screen :) They also discovered that if you pass 7,600 bytes as the value for a GET parameter that mod_jk1 tells you the server is down.
When you see reports from 'pen testers' with this is you know they are clutching at straws its a boring friday ! David "Shapira, Yoav" <[EMAIL PROTECTED] To: "Tomcat Developers List" <[EMAIL PROTECTED]> .com> cc: Subject: RE: single percent sign in a parameter causes an exception report detailing tomcat version 16/04/2004 13:52 Please respond to "Tomcat Developers List" Hi, Thanks for providing some amusement on my Friday morning ;) This is not a known issue because it's not an issue. Knowing tomcat's version number won't help you because there are no version-specific tomcat security holes. Furthermore, all of tomcat's built-in error pages have the exact version, i.e. even mishaps like 404's give the same result as your test. So this is not special to the % parameter either. Yoav Shapira Millennium Research Informatics >-----Original Message----- >From: David Cassidy [mailto:[EMAIL PROTECTED] >Sent: Friday, April 16, 2004 6:10 AM >To: Tomcat Developers List >Subject: single percent sign in a parameter causes an exception report >detailing tomcat version > >Guys, > >We've had a pen test done on one of the apps we look after and they an >issue which I'd >like a little guidance on ... > >(Accept that these guys are specifically sending iffy requests to cause the >system to break or detail >what versions of the code is being used to provide ways of hacking in ..) > >If you have a page that does >request.getParameter("paramName") >and you specify > >page.jsp?paramName=% > >The result is an exception report that details what version of tomcat you >are running >(I've tried this with 4.1.29 and it does make a wonderful exception >report!) > >Anyone seen this before ? >Anyone got a fix ? > > >Thanks > >David > > > > >-- > >This e-mail may contain confidential and/or privileged information. If you >are not the intended recipient (or have received this e-mail in error) >please notify the sender immediately and destroy this e-mail. Any >unauthorized copying, disclosure or distribution of the material in this e- >mail is strictly forbidden. > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]