tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Thomas" <peter.tho...@securitywatch.com>
Subject [Fwd: Re: CHINANSL Security Advisory(CSA-200108)]
Date Mon, 02 Apr 2001 09:37:36 GMT
Dear Apache, 

Further to these postings on Bugtraq, could you confirm whether this
directory traversal vulnerability has indeed been fixed in the latest
versions of TomCat. 

Kindest regards,


Peter Thomas - Editor - http://www.securitywatch.com 
tel +32 (0)16 28 73 14 - fax +32 (0)16 28 7288   
Grensstraat 1b - B-3010 Leuven - Belgium

*E-security rule #1: ignorance is never a defense*



-------- Original Message --------
From: jon@LATCHKEY.COM (Jon Stevens)
Subject: Re: CHINANSL Security Advisory(CSA-200108)
Newsgroups: lists.bugtraq

on 3/30/01 11:26 PM, "lovehacker" <lovehacker@263.NET> wrote:

> Topic:
> Tomcat 3.2.1 for win2000 Directory traversal
> Vulnerability
>
> vulnerable:
> Tomcat 3.2.1 for win2000
> maybe for other operating system also.
>
> discussion:
> A security vulnerability has been found in Windows
> NT/2000 systems that have Tomcat 3.2.1
> installed.The
> vulnerability allows remote attackers to access files
> outside the document root directory scope.
>
> exploits:
> http://target:8080/%2e%2e/%2e%2e/%00.jsp
> It is possible to cause the Tomcat server to Listing
> outside the document root directory scope.
>
> solution:
> None
>
> Copyright 2000-2001 CHINANSL. All Rights
> Reserved. Terms of use.
>
> CHINANSL Security Team
> <lovehacker@chinansl.com>
> CHINANSL INFORMATION TECHNOLOGY CO.,LTD
> (http://www.chinansl.com)

What is with this Copyright stuff?

#1. Please report security issues to security@apache.org and/or
tomcat-dev@jakarta.apache.org first. It seems like that is a common
courtesy.

#2. Please test against the latest Tomcat 4.0 which is 4.0b2. I believe
that
this has already been fixed.

p.s. Your lovehacker@263.net email address bounces.

-jon

Mime
View raw message