Return-Path: 
 <tomcat-dev-return-32937-qmlist-jakarta-archive-tomcat-dev=nagoya.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org
Received: (qmail 54335 invoked from network); 12 Aug 2003 23:44:09 -0000
Received: from exchange.sun.com (192.18.33.10)
  by daedalus.apache.org with SMTP; 12 Aug 2003 23:44:09 -0000
Received: (qmail 3386 invoked by uid 97); 12 Aug 2003 23:46:56 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-dev@nagoya.betaversion.org
Received: (qmail 3379 invoked from network); 12 Aug 2003 23:46:56 -0000
Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12)
  by nagoya.betaversion.org with SMTP; 12 Aug 2003 23:46:56 -0000
Received: (qmail 53576 invoked by uid 500); 12 Aug 2003 23:44:01 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-dev-help@jakarta.apache.org>
List-Post: <mailto:tomcat-dev@jakarta.apache.org>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 53559 invoked from network); 12 Aug 2003 23:44:01 -0000
Received: from prv-mail20.provo.novell.com (137.65.81.122)
  by daedalus.apache.org with SMTP; 12 Aug 2003 23:44:01 -0000
Received: from INET-PRV-MTA by prv-mail20.provo.novell.com
	with Novell_GroupWise; Tue, 12 Aug 2003 17:44:09 -0600
Message-Id: <sf392769.023@prv-mail20.provo.novell.com>
X-Mailer: Novell GroupWise Internet Agent 6.5.1 
Date: Tue, 12 Aug 2003 17:43:59 -0600
From: "Jeff Tulley" <JTULLEY@novell.com>
To: <tomcat-dev@jakarta.apache.org>
Subject: Tomcat 4.1.24 & JVM 1.4.2 security hole?
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

The user list has been busy lately discussing a possible security hole,
but only 1/3 of the people in the thread could see the problem.  I
finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2,
but NOT with JVM 1.4.1.  

The vulnerability is that if you stick a "%20" on the end of a .jsp
url, you get the source.

I have not tried this with Tomcat versions later than 4.1.24 once I
actually saw the problem. 

Jeff Tulley  (jtulley@novell.com)
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org