tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Murphy <rmur...@hbs.edu>
Subject Re: [SECURITY] More information on Tomcat 4.0.3
Date Thu, 07 Mar 2002 14:51:00 GMT
Heads up Tomcatters ...

Richard

Remy Maucherat wrote:

> After additional review, it has been discovered that the security bug fixed
> in Tomcat 4.0.3 was more severe than originally though, and can be used to
> remotely browse the server filesystem.
>
> To exploit this bug, an attacker would require that some user modifiable
> data (like a form POST data, or a URL) is directly used by a servlet or JSP
> in a request dispatcher forward or include.
>
> It can be hard to determine if an installation of Tomcat is vulnerable to
> this exploit, as it depends on the web applications installed.
> IMPORTANT NOTE: The default Tomcat installation is NOT vulnerable to this
> bug.
>
> Because of this, it is HIGHLY recommended that all Tomcat 4.0.x users
> either:
> - Apply the binary patch which is available at
> http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi
> x/ Note: This particular patch can be applied on all official 4.0.x releases
> (including 4.0, 4.0.1 and 4.0.2).
> - Upgrade to Tomcat 4.0.3.
> - Upgrade to Tomcat 4.0.4 Beta 1.
>
> Bugzilla report on this problem:
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772
>
> Remy
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message