tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Tomcat 3.2.x problem with MS-DOS device names
Date Wed, 20 Feb 2008 08:22:04 GMT
I seem to recall that this was fixed in 3.2.4, but I can't be sure since I 
mostly passed over those commit messages at the time.  It was the reason to 
produce 3.3.1a, so is also fixed in 3.3.2 (easier upgrade path).  However, 
it hangs connections pretty consistantly on affected systems, so if you get 
a 404 (what I would expect from TC5+), then the bug isn't really there.

"Mamatha Rao (mamtarao)" <> wrote in message

Our application used Tomcat 3.2 and Nessus scan reported the following
CVE against it

Tomcat release notes suggest fixing defect in 3.3.1a and later. We moved
to Tomcat 5.5 and still saw Nessus reporting the same vulnerability. The
Nessus scan may not be accurate since we ensured that Tomcat did not
actually freeze after the attack.

However, we are now stuck in verifying the vulnerability existed in
Tomcat 3.2. Have tried testing with a sample servlet - it returns a 404
Not Found error on requests like http://[ip <BLOCKED::http://[ip/>
addr]:8080/test/aux.jsp. Traces show something like Bad pathname
        at Method)
        at org.apache.tomcat.util.FileUtil.safePath(
        at org.apache.tomcat.core.Context.getRealPath(
2008-02-19 10:18:05 - Ctx( /test ): 404 R( /test + /aux.jsp + null) JSP
file not
2008-02-19 10:18:05 - Ctx( /test ): Handler
tomcat.notFoundHandler(null/null) to

on such requests. And even with limiting the number of threads, Tomcat
does not freeze. And thread dumps dont indicate anything wrong.

Have tried it both on Windows 2000 server and Windows XP. Is there any
dependency on Windows versions?
<BLOCKED::>  seems to
suggest it occurs in certain Windows systems while
<BLOCKED::>  says it occurs in
all versions of Windows.
<>  - This mail
thread is refering to some similar/same(?) bug and suggests even Windows
NT, 2000 have a problem but may be Tomcat 3.2.4 doesnt show the problem.

Does anyone remember if this vulnerability can be triggered in Tomcat
3.2 and how? Any pointers to the bug fix in subversion would also help.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message