tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefán Freyr Stefánsson <>
Subject RE: Tomcat security issue - THIS IS SERIOUS !!!
Date Wed, 18 Oct 2000 11:31:07 GMT
I have not been able to reproduce this problem on 3.2b6.  But this is
actually what worries me the most...  Mr. Cheong Takhoe did this with a
version of Tomcat which I can't remember what is and mr. Craig R. McClanahan
was able to reproduce the problem on another version of Tomcat... this
worries me alot since I can't see that there is any guarantee that this will
not happen on my 3.2 b6 version of Tomcat (if I change some external factors
like the operating system, jdk version or something else).

Can any of the Tomcat developers answer the following question:
	Will this bug be throuroughly tested in the final version of 3.2 and will
there be a guarantee (or at least as close to a guarantee as you can
possibly give) that this won't happen?

I do realize that Tomcat is being developed in your spare time for most of
you... but it is being used all over the place in applications that can't
afford bugs like this.  At the same time I ask you this question I would
like to thank you guys for all your hard work on this... kudos to y'all,
just to keep it absolutely clear that there is not a trace of grudge in this
letter! ;o)

Kind regards, Stefan.

-----Original Message-----
From: Cheong Takhoe []
Sent: 18. október 2000 10:20
To: ''
Subject: RE: Tomcat security issue - THIS IS SERIOUS !!!

TADA.... : )

> -----Original Message-----
> From:	Lacerda, Wellington (AFIS) []
> Sent:	Wednesday, October 18, 2000 4:31 PM
> To:	''
> Subject:	RE: Tomcat security issue - THIS IS SERIOUS !!!
> Importance:	High
> I have tomcat under NT and it exposes the source code even when you call
> it
> as standalone server through :8080 !
> Is this affecting 3.2b6 also ?
> Wellington Silva
> 		-----Original Message-----
> 		From:	Richard Wooding []
> 		Sent:	Wednesday, October 18, 2000 10:24 AM
> 		To:
> 		Subject:	Re: Tomcat security issue
> 		check your apache configuration
> 		----- Original Message -----
> 		From: "Cheong Takhoe" <>
> 		To: <>
> 		Sent: Wednesday, October 18, 2000 7:34 AM
> 		Subject: Tomcat security issue
> 		Hi,
> 		I discovered that Tomcat has a security problem with regards
> to the way it
> 		works with the handlers.
> 		if you have a file x.jsp
> 		when you access it through the web browser,
> http://<hostname>/x.jsp\
> 		with the \ there,
> 		it opens up the source code....
> 		HMMMMMmmmm...
> 		I don't know whether this is similar on a non-NT platform.
> 		any ideas about this? solutions?
> 		regards,
> 		Cheong Takhoe

View raw message