tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
Date Sat, 02 Aug 2008 07:37:51 GMT
William A. Rowe, Jr. wrote:
> Mark Thomas wrote:
>>
>> Description:
>> When using a RequestDispatcher the target path was normalised before the
>> query string was removed. A request that included a specially crafted
>> request parameter could be used to access content that would otherwise be
>> protected by a security constraint or by locating it in under the WEB-INF
>> directory.
>>
>> Mitigation:
>> 6.0.x users should upgrade to 6.0.18
> 
> Stupid question, perhaps, but why weren't mitigations published with this
> advisory?  In general we want people to simply adopt the current version,
> but if they don't match the vulnerability conditions (or are willing to
> configure themselves away from them), this should not disrupt the active
> installations.

What mitigations are you thinking of?

The description is intended to be sufficient for a user to determine if 
they match the vulnerability conditions. And this for this notice I believe 
it meets this criteria.

In this case there is no way of configuring yourself away from the 
vulnerability. If you use a RequestDispatcher, you are vulnerable.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message