tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 389] New - Security Issue? Important attributes exposed by ServletContext can be modified BugRat Report#682
Date Mon, 12 Mar 2001 21:27:37 GMT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=389

*** shadow/389	Mon Mar 12 13:27:37 2001
--- shadow/389.tmp.1035	Mon Mar 12 13:27:37 2001
***************
*** 0 ****
--- 1,22 ----
+ +============================================================================+
+ | Security Issue? Important attributes exposed by ServletContext can be modi |
+ +----------------------------------------------------------------------------+
+ |        Bug #: 389                         Product: Tomcat 4                |
+ |       Status: UNCONFIRMED                 Version: 4.0 Beta 1              |
+ |   Resolution:                            Platform: All                     |
+ |     Severity: Normal                   OS/Version: All                     |
+ |     Priority: High                      Component: Catalina                |
+ +----------------------------------------------------------------------------+
+ |  Assigned To: craig.mcclanahan@eng.sun.com                                 |
+ |  Reported By: rmandava@talentportal.com                                    |
+ |      CC list: Cc:                                                          |
+ +----------------------------------------------------------------------------+
+ |          URL:                                                              |
+ +============================================================================+
+ |                              DESCRIPTION                                   |
+ Hi:
+ 
+   The attributes such as "org.apache.catalina.classloader", "org.apache.catalina.jsp_classpath"
are exposed through ServletContext and can be easily modified. No security violation is generated
and anybody with an application installed on the web server can modify these variables. Is
n't it a security problem for Tomcat?
+ 
+ Thanks
+ -Ramesh

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org


Mime
View raw message