tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From BugRat Mail System <tomcat-b...@cortexity.com>
Subject BugRat Report #682 has been filed.
Date Tue, 02 Jan 2001 04:52:11 GMT
Bug report #682 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com/BugRatViewer/ShowReport/682>

REPORT #682 Details.

Project: Catalina
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: critical
Confidence: public
Environment: 
   Release: m5
   JVM Release: ANY
   Operating System: ANY
   OS Release: ANY
   Platform: ANY

Synopsis: 
Security Issue? Important attributes exposed by ServletContext can be modified

Description:
Hi:

  The attributes such as "org.apache.catalina.classloader", "org.apache.catalina.jsp_classpath"
are exposed through ServletContext and can be easily modified. No security violation is generated
and anybody with an application installed on the web server can modify these variables. Is
n't it a security problem for Tomcat?

Thanks
-Ramesh

Mime
View raw message