tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
Date Tue, 12 Dec 2000 17:56:46 GMT
Nick Bauman wrote:

> On Mon, 11 Dec 2000, Craig R. McClanahan wrote:
>
> >
> > Tomcat 3.2 final has the following security vulnerabilities that have
> > subsequently been fixed in the CVS repository:
> > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> >   expose sensitive information (note the double slash after "examples").
> > * The "Show Source" custom tag used to display JSP source code can
> >   be used to expose sensitive information in WEB-INF.
> >
>
> BTW: I think it should be made clear this is only an issue if you are not
> using a webserver, like apache, in front of the Container. A properly
> configured apache renders these vulnerabilites moot.
>

I suppose that depends on the definition of "properly configured".  The standard
config files we generate for Apache would not protect all of the cases, although
it would catch some of them.

>
> -Nick

Craig



Mime
View raw message