tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
Date Sat, 02 Aug 2008 07:37:51 GMT
William A. Rowe, Jr. wrote:
> Mark Thomas wrote:
>> Description:
>> When using a RequestDispatcher the target path was normalised before the
>> query string was removed. A request that included a specially crafted
>> request parameter could be used to access content that would otherwise be
>> protected by a security constraint or by locating it in under the WEB-INF
>> directory.
>> Mitigation:
>> 6.0.x users should upgrade to 6.0.18
> Stupid question, perhaps, but why weren't mitigations published with this
> advisory?  In general we want people to simply adopt the current version,
> but if they don't match the vulnerability conditions (or are willing to
> configure themselves away from them), this should not disrupt the active
> installations.

What mitigations are you thinking of?

The description is intended to be sufficient for a user to determine if 
they match the vulnerability conditions. And this for this notice I believe 
it meets this criteria.

In this case there is no way of configuring yourself away from the 
vulnerability. If you use a RequestDispatcher, you are vulnerable.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message