tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yoav Shapira <yo...@apache.org>
Subject Re: Apache Tomcat Web Root Path Disclosure Vulnerability
Date Mon, 17 Oct 2005 21:51:08 GMT
Hi,
The vulnerability was reported for 4.0.3.  That's not the same as only
affecting 4.0.3 ;)  4.0.6 and later, including 4.1.x, 5.0.x, and 5.5.x, should
be fine.  I think 3.3.x is fine as well.

This is a trivial vulnerability to test: ask the server for a resource that
does not exist, and look at the contents of the 404 error page.

This is also a trivial vulnerability to work around if you absolutely cannot
change server versions: put in a custom 404 error page with whatever content
you want.

Yoav

--- Vineet Bhatia <vbhatia@mailfrontier.com> wrote:

> Hello,
> 
> One of our customers running Apache Tomcat version 4.1.29 ran some type
> of a vulnerability scanner which detected an "Apache Tomcat Web Root
> Path Disclosure Vulnerability". Did some research on the net and many
> sites mentioned that this vulnerability only affected 4.0.3. But I want
> to get confirmation from this forum. Thanks.
> 
>  
>   
> Vineet Bhatia
> Technical Support Engineering
> 	  <http://www.mailfrontier.com/> 	 MailFrontier, Inc.
> http://www.MailFrontier.com	
> ________________________________
> 
> Please leave original e-mail in place when replying.	
>  
> 


Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message