tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: JSP security article
Date Thu, 12 Oct 2000 19:00:22 GMT
William Brogden wrote:

> Here is an interesting article on server security:
> http://www.builder.com/Servers/SecurityIssues/100400/?tag=st.bl.3880.linksgp
>
> Tomcat is not mentioned - I wonder if it is vulnerable to these
> exploits?
>

When the original Foundstone report came out about this bug (several
months
ago), Tomcat was corrected.  I believe that was prior to 3.1 final, but
I'm not
positive -- I know that it has been corrected in 3.2 and 4.0.

Note that this vulnerability will only occur on a server platform that
does
*not* use case sensitive filenames.  On a Linux box, for example, asking
for
"date.JSP" when the real file is "date.jsp" will simply return "file not
found".

>
> --
> WBB - wbrogden@bga.com  Chief Scientist, LANWrights, Inc.
> Java Programmer Certification information and mock exam
> at  http://www.lanw.com/java/javacert/

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

Mime
View raw message