I've just been trying to confrm the vulnerability without any luck.
Any place in the wild where we could find such a problem?
I've tried replacing:
http://www.server.dom/jsp/test.jsp
with:
http://www.server.dom/jsp/test.jsp%0008
in a number of setups without any results.
Cheers,
Michiel
Norris
Is it this old chestnut?
Mike Curwen
Product Manager
Globally Boundless
www.globallyboundless.com
204.885.7733 ext 227
Privacy Compliance: This e-mail message is
hmm.. that would be _this_ old chestnut... (a little eager on the send,
sorry.)
http://shh.thathost.com/secadv/2001-03-29-tomcat.txt
This particular exploit was fixed a long time ago (wasn't it?)
Mike Curwen
-Original Message-
From: Norris Shelton [mailto:[EMAIL PROTECTED]
Sent:
I can't reproduce it either. I am using the latest 4.1.x from CVS but I
am 100% certain there have been no changes that would relate to this
since 4.1.30.
On a related topic, security bugs should be reported privately by email
to [EMAIL PROTECTED]
If this had been a real issue it would have
It is definately reproducable on his sytem, but he is on a
secured connection.
It does not happen on mine. The only variable that we know of
is the JRE.
--- Mark Thomas [EMAIL PROTECTED] wrote:
I can't reproduce it either. I am using the latest 4.1.x from
CVS but I
am 100% certain there
