tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <>
Subject Tomcat 4.1.24 & JVM 1.4.2 security hole?
Date Tue, 12 Aug 2003 23:43:59 GMT
The user list has been busy lately discussing a possible security hole,
but only 1/3 of the people in the thread could see the problem.  I
finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2,
but NOT with JVM 1.4.1.  

The vulnerability is that if you stick a "%20" on the end of a .jsp
url, you get the source.

I have not tried this with Tomcat versions later than 4.1.24 once I
actually saw the problem. 

Jeff Tulley  (
Novell, Inc., The Leading Provider of Net Business Solutions

View raw message