Hi, A security problem affecting Tomcat 4.0.2 (and all versions of 4.x) has been reported, which allows to get a request dispatcher to an URL outside of the context root.
This is not a security problem when NOT using a security manager, since it is always possible to use direct filesystem access to achieve the same result. However, this vulnerability allows to bypass the security manager protection, and serve resources located anywhere on the server. For example, this vulnerability can be reproduced by adding an include command inside a JSP page, like <jsp:include page="../../../foo2/jsp/include/bar.txt"/>. A Tomcat release including the fix will be made available shortly. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>