tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David kerber <dcker...@verizon.net>
Subject Re: Tomcat security vulnerability/ or security config issue
Date Thu, 18 Apr 2013 13:27:16 GMT
If things are configured properly, web users won't be able to see 
anything outside your app hierarchy, so something clearly isn't set up 
properly.

On 4/18/2013 9:14 AM, Wen Liu wrote:
>
>
> Howdy,
>
> I have a issue with Tomcat security, please find the spec below:
>
> Server version: Apache Tomcat/6.0.35
> Server built:   Nov 28 2011 11:20:06
> Server number:  6.0.35.0
> OS Name:        SunOS
> OS Version:     5.10
> Architecture:   x86
> JVM Version:    1.6.0_33-b03
> JVM Vendor:     Sun Microsystems Inc.
>
>
> For the problematic server, all files on the server are exposed to all users through
http://<masterservice_IP>:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../<location_of_the_file>
>
> i.e. open Chrome, give http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages
and press enter to see the server system log..
>
> It happens with any browsers..
>
> I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a service
config issue.. Can someone please have a look?..
>
> Please let me know if any further info required..
>
>
> Thanks&  Regards,
>
> Wen




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message