still makes a nasty mess on your screen :)

They also discovered that if you pass 7,600 bytes as the value for a GET parameter
that mod_jk1 tells you the server is down.

When you see reports from 'pen testers' with this is you know they are clutching at 
straws

its a boring friday !

David





                                                                                       
                                                                                
                      "Shapira, Yoav"                                                  
                                                                                
                      <[EMAIL PROTECTED]        To:       "Tomcat Developers List" 
<[EMAIL PROTECTED]>                                                      
                      .com>                    cc:                                     
                                                                                
                                               Subject:  RE: single percent sign in a 
parameter causes an exception report detailing tomcat version                    
                      16/04/2004 13:52                                                 
                                                                                
                      Please respond to                                                
                                                                                
                      "Tomcat                                                          
                                                                                
                      Developers List"                                                 
                                                                                
                                                                                       
                                                                                
                                                                                       
                                                                                





Hi,
Thanks for providing some amusement on my Friday morning ;)

This is not a known issue because it's not an issue.  Knowing tomcat's
version number won't help you because there are no version-specific
tomcat security holes.  Furthermore, all of tomcat's built-in error
pages have the exact version, i.e. even mishaps like 404's give the same
result as your test.  So this is not special to the % parameter either.

Yoav Shapira
Millennium Research Informatics


>-----Original Message-----
>From: David Cassidy [mailto:[EMAIL PROTECTED]
>Sent: Friday, April 16, 2004 6:10 AM
>To: Tomcat Developers List
>Subject: single percent sign in a parameter causes an exception report
>detailing tomcat version
>
>Guys,
>
>We've had a pen test done on one of the apps we look after and they an
>issue which I'd
>like a little guidance on ...
>
>(Accept that these guys are specifically sending iffy requests to cause
the
>system to break or detail
>what versions of the code is being used to provide ways of hacking in
..)
>
>If you have a page that does
>request.getParameter("paramName")
>and you specify
>
>page.jsp?paramName=%
>
>The result is an exception report that details what version of tomcat
you
>are running
>(I've tried this with 4.1.29 and it does make a wonderful exception
>report!)
>
>Anyone seen this before ?
>Anyone got a fix ?
>
>
>Thanks
>
>David
>
>
>
>
>--
>
>This e-mail may contain confidential and/or privileged information. If
you
>are not the intended recipient (or have received this e-mail in error)
>please notify the sender immediately and destroy this e-mail. Any
>unauthorized copying, disclosure or distribution of the material in
this e-
>mail is strictly forbidden.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to