Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 82352 invoked from network); 2 Aug 2008 07:39:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Aug 2008 07:39:09 -0000 Received: (qmail 14234 invoked by uid 500); 2 Aug 2008 07:39:01 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 14183 invoked by uid 500); 2 Aug 2008 07:39:00 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 14170 invoked by uid 99); 2 Aug 2008 07:39:00 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Aug 2008 00:39:00 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [193.252.22.158] (HELO smtp1.freeserve.com) (193.252.22.158) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Aug 2008 07:38:05 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3016.me.freeserve.com (SMTP Server) with ESMTP id B3DB8C400083 for ; Sat, 2 Aug 2008 09:38:20 +0200 (CEST) Received: from smtp.homeinbox.net (unknown [91.109.159.158]) by mwinf3016.me.freeserve.com (SMTP Server) with ESMTP id D6C2FC400082 for ; Sat, 2 Aug 2008 09:38:19 +0200 (CEST) X-ME-UUID: 20080802073819880.D6C2FC400082@mwinf3016.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id 8B0E01124AF for ; Sat, 2 Aug 2008 08:31:39 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server02.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cfo48q87i54L for ; Sat, 2 Aug 2008 08:31:21 +0100 (BST) Received: from [192.168.0.4] (study01.dev.local [192.168.0.4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id 12CE01124AD for ; Sat, 2 Aug 2008 08:31:19 +0100 (BST) Message-ID: <48940ECF.20004@apache.org> Date: Sat, 02 Aug 2008 08:37:51 +0100 From: Mark Thomas User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability References: <48931869.8070408@apache.org> <4893A0E8.4080407@rowe-clan.net> In-Reply-To: <4893A0E8.4080407@rowe-clan.net> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org William A. Rowe, Jr. wrote: > Mark Thomas wrote: >> >> Description: >> When using a RequestDispatcher the target path was normalised before the >> query string was removed. A request that included a specially crafted >> request parameter could be used to access content that would otherwise be >> protected by a security constraint or by locating it in under the WEB-INF >> directory. >> >> Mitigation: >> 6.0.x users should upgrade to 6.0.18 > > Stupid question, perhaps, but why weren't mitigations published with this > advisory? In general we want people to simply adopt the current version, > but if they don't match the vulnerability conditions (or are willing to > configure themselves away from them), this should not disrupt the active > installations. What mitigations are you thinking of? The description is intended to be sufficient for a user to determine if they match the vulnerability conditions. And this for this notice I believe it meets this criteria. In this case there is no way of configuring yourself away from the vulnerability. If you use a RequestDispatcher, you are vulnerable. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org