tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: JSP security article
Date Thu, 12 Oct 2000 19:00:22 GMT
William Brogden wrote:

> Here is an interesting article on server security:
> Tomcat is not mentioned - I wonder if it is vulnerable to these
> exploits?

When the original Foundstone report came out about this bug (several
ago), Tomcat was corrected.  I believe that was prior to 3.1 final, but
I'm not
positive -- I know that it has been corrected in 3.2 and 4.0.

Note that this vulnerability will only occur on a server platform that
*not* use case sensitive filenames.  On a Linux box, for example, asking
"date.JSP" when the real file is "date.jsp" will simply return "file not

> --
> WBB -  Chief Scientist, LANWrights, Inc.
> Java Programmer Certification information and mock exam
> at

Craig McClanahan

See you at ApacheCon Europe <>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

View raw message