tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Bauman <>
Subject Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
Date Tue, 12 Dec 2000 05:44:31 GMT
On Mon, 11 Dec 2000, Craig R. McClanahan wrote:

> Tomcat 3.2 final has the following security vulnerabilities that have
> subsequently been fixed in the CVS repository:
> * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
>   expose sensitive information (note the double slash after "examples").
> * The "Show Source" custom tag used to display JSP source code can
>   be used to expose sensitive information in WEB-INF.

BTW: I think it should be made clear this is only an issue if you are not
using a webserver, like apache, in front of the Container. A properly
configured apache renders these vulnerabilites moot.


View raw message