tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Cassidy" <david.cass...@db.com>
Subject single percent sign in a parameter causes an exception report detailing tomcat version
Date Fri, 16 Apr 2004 10:09:42 GMT
Guys,

We've had a pen test done on one of the apps we look after and they an issue which I'd
like a little guidance on ...

(Accept that these guys are specifically sending iffy requests to cause the system to break
or detail
what versions of the code is being used to provide ways of hacking in ..)

If you have a page that does
request.getParameter("paramName")
and you specify

page.jsp?paramName=%

The result is an exception report that details what version of tomcat you are running
(I've tried this with 4.1.29 and it does make a wonderful exception report!)

Anyone seen this before ?
Anyone got a fix ?


Thanks

David




--

This e-mail may contain confidential and/or privileged information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message