Bug report #744 has just been filed. You can view the report at the following URL: <http://znutar.cortexity.com/BugRatViewer/ShowReport/744> REPORT #744 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: serious Confidence: confidential Environment: Release: 3.2.1 JVM Release: 1.2.2.04 Operating System: HPUX OS Release: 11 Platform: PA-RISC Synopsis: security hole - can download jsp page source code Description: When tomcat 3.2.1 is running in stand-alone mode, simply using telnet to connect to it and issuing "GET /path/file.jsp" downloads the raw source code for the file. If the command sent is "GET /path/file.jsp HTTP 1.0" then the page is correctly *run* and the *results* are sent back.Title: BugRat Report # 744
BugRat Report # 744
Project: Tomcat | Release: 3.2.1 |
Category: Bug Report | SubCategory: New Bug Report |
Class: swbug | State: received |
Priority: high | Severity: serious |
Confidence:
confidential
|
Submitter:
Simon Kitching ( [EMAIL PROTECTED] )
Date Submitted:
Jan 11 2001, 11:10:38 CST
Responsible:
Z_Tomcat Alias ( [EMAIL PROTECTED] )
- Synopsis:
- security hole - can download jsp page source code
- Environment: (jvm, os, osrel, platform)
- 1.2.2.04, HPUX, 11, PA-RISC
- Additional Environment Description:
- Same behaviour on Sun Solaris with: OS: SunOS vdcrola1 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-250 JVM: Solaris VM (build Solaris_JDK_1.2.2_06, native threads, sunwjit)
- Report Description:
- When tomcat 3.2.1 is running in stand-alone mode, simply using telnet to connect to it and issuing "GET /path/file.jsp" downloads the raw source code for the file. If the command sent is "GET /path/file.jsp HTTP 1.0" then the page is correctly *run* and the *results* are sent back.
- How To Reproduce:
- null
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]