20 messages in org.apache.tomcat.devRe: [SECURITY] Security Vulnerabiliti...| From | Sent On | Attachments |
|---|---|---|
| Craig R. McClanahan | Dec 11, 2000 5:19 pm | |
| Remy Maucherat | Dec 11, 2000 5:28 pm | |
| Hans Bergsten | Dec 11, 2000 5:38 pm | |
| Craig R. McClanahan | Dec 11, 2000 5:59 pm | |
| Jon Stevens | Dec 11, 2000 6:53 pm | |
| Jon Stevens | Dec 11, 2000 6:54 pm | |
| Larry Isaacs | Dec 11, 2000 6:56 pm | |
| Nick Bauman | Dec 11, 2000 9:44 pm | |
| Kief Morris | Dec 12, 2000 2:01 am | |
| GOMEZ Henri | Dec 12, 2000 2:02 am | |
| Brett Bergquist | Dec 12, 2000 5:21 am | |
| Glenn Nielsen | Dec 12, 2000 7:08 am | |
| Arieh Markel | Dec 12, 2000 7:45 am | |
| Sean | Dec 12, 2000 9:07 am | |
| Mike Anderson | Dec 12, 2000 9:27 am | |
| Craig R. McClanahan | Dec 12, 2000 9:56 am | |
| Craig R. McClanahan | Dec 12, 2000 10:02 am | |
| av...@satori.com | Dec 12, 2000 1:36 pm | |
| Glenn Nielsen | Dec 12, 2000 6:30 pm | |
| Steve Downey | Dec 15, 2000 12:12 pm |
| Subject: | Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2 | |
|---|---|---|
| From: | Craig R. McClanahan (Crai...@eng.sun.com) | |
| Date: | Dec 12, 2000 9:56:24 am | |
| List: | org.apache.tomcat.dev | |
Nick Bauman wrote:
On Mon, 11 Dec 2000, Craig R. McClanahan wrote:
Tomcat 3.2 final has the following security vulnerabilities that have subsequently been fixed in the CVS repository: * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can expose sensitive information (note the double slash after "examples"). * The "Show Source" custom tag used to display JSP source code can be used to expose sensitive information in WEB-INF.
BTW: I think it should be made clear this is only an issue if you are not using a webserver, like apache, in front of the Container. A properly configured apache renders these vulnerabilites moot.
I suppose that depends on the definition of "properly configured". The standard config files we generate for Apache would not protect all of the cases, although it would catch some of them.
-Nick
Craig