Return-Path: <mikkosh@hotmail.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 83223 invoked from network); 11 Aug 2003 12:14:29 -0000
Received: from law11-oe26.law11.hotmail.com (HELO hotmail.com) (64.4.16.83)
  by daedalus.apache.org with SMTP; 11 Aug 2003 12:14:29 -0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Mon, 11 Aug 2003 05:14:29 -0700
Received: from 195.148.144.17 by law11-oe26.law11.hotmail.com with DAV;
	Mon, 11 Aug 2003 12:14:29 +0000
X-Originating-IP: [195.148.144.17]
X-Originating-Email: [mikkosh@hotmail.com]
From: "=?iso-8859-1?B?TWlra28gSORt5GzkaW5lbg==?=" <mikkosh@hotmail.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
References: <3F35C371.80905@tkz.net>
Subject: Re: security hole on windows tomcat?
Date: Mon, 11 Aug 2003 15:18:02 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-ID: <Law11-OE26pjUujgKDt0001c614@hotmail.com>
X-OriginalArrivalTime: 11 Aug 2003 12:14:29.0847 (UTC)
 FILETIME=[1D8CBE70:01C36002]
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Hi,
I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that
with Tomcat 4.0.1 on Redhat and it was ok too..


----- Original Message -----
From: "Paul Sundling("Webdaddy")" <tkz@tkz.net>
To: <tomcat-user@jakarta.apache.org>
Sent: Sunday, August 10, 2003 7:00 AM
Subject: security hole on windows tomcat?


> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp  <shows page as expected>
> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>
> So how widespread is this?
>
> Paul Sundling
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>