tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Tomcat security vulnerability/ or security config issue
Date Thu, 18 Apr 2013 13:44:11 GMT
> From: David kerber [mailto:dckerber@verizon.net] 
> Subject: Re: Tomcat security vulnerability/ or security config issue

> If things are configured properly, web users won't be able to see 
> anything outside your app hierarchy, so something clearly isn't set up 
> properly.

This has little to do with configuration - it's the particular webapp (consistencycheck) that
is blindly trusting whatever is fed to it from the outside world, and using that as a path
into the local file system.  A SecurityManager _may_ be able to stop it, but if the site has
deployed such a dangerous webapp, it's likely they would grant excessive privileges to it
as well.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message