On 18/04/2013 14:14, Wen Liu wrote: > > > Howdy, > > I have a issue with Tomcat security, please find the spec below: > > Server version: Apache Tomcat/6.0.35 > Server built: Nov 28 2011 11:20:06 > Server number: 6.0.35.0 > OS Name: SunOS > OS Version: 5.10 > Architecture: x86 > JVM Version: 1.6.0_33-b03 > JVM Vendor: Sun Microsystems Inc. > > > For the problematic server, all files on the server are exposed to all users > through > http://<masterservice_IP>:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../<location_of_the_file> > > i.e. open Chrome, give > http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages > and press enter to see the server system log.. > > It happens with any browsers.. > > I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is > a service config issue.. Can someone please have a look?.. > > Please let me know if any further info required..
That is an application vulnerability, not a Tomcat vulnerability. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
