tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 24960] New: - CGI module reveals server internals details to all
Date Tue, 25 Nov 2003 03:10:03 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24960>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24960

CGI module reveals server internals details to all

           Summary: CGI module reveals server internals details to all
           Product: Tomcat 4
           Version: 4.1.29
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Servlets:CGI
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: James.H.Manger@team.telstra.com


A request to a context that supports CGI for a CGI script that does not exist 
results in an error page that includes a whole swag of internal context 
details.  Some of these details, such as context init parameters, may be 
sensitive (eg passwords).

The problem is in org.apache.catalina.servlets.CGIServlet.  Its doGet() method 
calls printServletEnvironment() when (certain) errors occur.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message