tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <r...@apache.org>
Subject [4.0] [Seurity] Security problem when using the SecurityManager with a request dispatcher
Date Wed, 27 Feb 2002 20:45:21 GMT
Hi,

A security problem affecting Tomcat 4.0.2 (and all versions of 4.x) has been
reported, which allows to get a request dispatcher to an URL outside of the
context root.

This is not a security problem when NOT using a security manager, since it
is always possible to use direct filesystem access to achieve the same
result.

However, this vulnerability allows to bypass the security manager
protection, and serve resources located anywhere on the server.

For example, this vulnerability can be reproduced by adding an include
command inside a JSP page, like <jsp:include
page="../../../foo2/jsp/include/bar.txt"/>.

A Tomcat release including the fix will be made available shortly.

Remy


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message