tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yoav Shapira <>
Subject Re: Apache Tomcat Web Root Path Disclosure Vulnerability
Date Mon, 17 Oct 2005 21:51:08 GMT
The vulnerability was reported for 4.0.3.  That's not the same as only
affecting 4.0.3 ;)  4.0.6 and later, including 4.1.x, 5.0.x, and 5.5.x, should
be fine.  I think 3.3.x is fine as well.

This is a trivial vulnerability to test: ask the server for a resource that
does not exist, and look at the contents of the 404 error page.

This is also a trivial vulnerability to work around if you absolutely cannot
change server versions: put in a custom 404 error page with whatever content
you want.


--- Vineet Bhatia <> wrote:

> Hello,
> One of our customers running Apache Tomcat version 4.1.29 ran some type
> of a vulnerability scanner which detected an "Apache Tomcat Web Root
> Path Disclosure Vulnerability". Did some research on the net and many
> sites mentioned that this vulnerability only affected 4.0.3. But I want
> to get confirmation from this forum. Thanks.
> Vineet Bhatia
> Technical Support Engineering
> 	  <> 	 MailFrontier, Inc.
> ________________________________
> Please leave original e-mail in place when replying.	

Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA /

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message