Thanks for the reply, Mark. If possible, can you please point to any references/docs which would help me convince others about the directory traversal vulnerability not impacting a standalone tomcat? Even an explanation would help.
I personally do agree that upgrading the tomcat is surely the thing to do rather than looking for alternatives, but this is something beyond my powers in this case :-) Thanks once again. Gaurav -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, September 09, 2009 1:49 PM To: Tomcat Users List Subject: Re: Does CVE-2007-0450 (Directory Traversal) affect standalone Tomcat Tadelkar, Gauravsagar (Gaurav) wrote: > I have a tomcat at version 5.5.15 in a standalone mode and due to some > compulsions cannot upgrade it. Does the directory traversal > vulnerability affect tomcat in a standalone mode (the 5.5.15 ver does > not have a fix to this vulnerability)? No it doesn't. However, there are plenty of other vulnerabilities (eg CVE-2008-5515) that do. > Alternately, is there a way I can secure/work around this > vulnerability without upgrading? You'd have to look at each vulnerability on a case by case basis. Upgrading to 5.5.28 is likely to be less painful than any of the alternatives. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
