tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@satori.com
Subject Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
Date Tue, 12 Dec 2000 21:37:14 GMT
> > > Tomcat 3.2 final has the following security vulnerabilities that have
> > > subsequently been fixed in the CVS repository:
> > > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> > >   expose sensitive information (note the double slash after "examples").
> > > * The "Show Source" custom tag used to display JSP source code can
> > >   be used to expose sensitive information in WEB-INF.
> > >


I was not privi to a few of the  original  posts regarding this.

Is the vulnerability only exposed if one can access the tomcat
port directly?  So if I blocked all access to say  port 9090 (where my
tomcat port is) from any foreign machines, then it is safe?

Or is the vulnerability exposed even when accessing tomcat via 
apache port 80?

-- 
Freddie  Mendoza             
avm@satori.com

Mime
View raw message