The syndrome is that when typing:
http://myurl:8080/myfile.jsp%20
http://myurl:8080/myfile.jsp%20
The JSP code is delivered to the client.
I have checked this on the followed platforms:
Win2k server (SP3)
JRE 1.4.2 (b28)
IIS 5/Tomcat HTTP 1.1 connector
It works but it is not consistent
Search the archives - I think this a JDK 1.4.2 related bug.
-Tim
Asaf Barkan wrote:
The syndrome is that when typing:
http://myurl:8080/myfile.jsp%20
http://myurl:8080/myfile.jsp%20
The JSP code is delivered to the client.
I have checked this on the followed platforms:
Win2k server (SP3)
JRE
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2 /
workers2.properties issue. But I'm pretty sure that others have seen
this going directly to port 8080.
We probably need to
on windows tomcat?
Charlie,
How do you fix this within apache?
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:15 AM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
do you have apache
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
which operating system?
Paul
John Turner wrote:
Appending %20 to my Tomcat 4.1.1x URLs
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if
I just saw this with 4.1.24 on win2k as well. EXTREMELY disturbing!
-Original Message-
From: Mikko Hämäläinen [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 8:18 AM
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Hi,
I use Tomcat 4.1.18 on win2k
the JDK (vendor and version).
It's not impossible that this might be a JDK problem.
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 6:41 PM
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
OS version
Directly to Tomcat (8080
: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2
/
workers2.properties
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have this problem 4.1.24 on Win2k
Charlie
I think you should also include the JDK (vendor and version).
It's not impossible that this might be a JDK problem.
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 6:41 PM
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows
Users List
Subject: Re: security hole on windows tomcat?
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
which operating system?
Paul
did you change any mime-mappings in conf/web.xml? could you have a jsp in
there somewhere defining it as text?
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat
Users List'
Subject: RE: security hole on windows tomcat?
can you turn on debug for the defaultservlet - set it to 99
in conf/web.xml
and post the log.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:39 PM
To: Tomcat Users List
What about your 4.1.2X URLS? Like the current release. I have the
latest apache serving to 4.1.27 and I CAN see the jsp code!
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 9:22 AM
To: Tomcat Users List
Subject: Re: security hole
: security hole on windows tomcat?
did you change any mime-mappings in conf/web.xml? could you
have a jsp in
there somewhere defining it as text?
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: Tomcat Users List
404 with the suffix.
Murray
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see
Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have this problem 4.1.24 on Win2k
Charlie
Mr. Sundling:
i'm running tomcat 4.1.27 and that does not appear to be an issue. I used
http://localhost:8080/jweb/left.jsp%20; as my url.
-Original Message-
From: Spam Email [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 10, 2003 4:18 PM
To: [EMAIL PROTECTED]
Subject: security hole
Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 9:22 AM
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears
Hi,
I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that
with Tomcat 4.0.1 on Redhat and it was ok too..
- Original Message -
From: Paul Sundling(Webdaddy) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, August 10, 2003 7:00 AM
Subject: security hole on windows
:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2 /
workers2.properties issue. But I'm pretty sure
.
Murray
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking
which operating system?
Paul
John Turner wrote:
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet
my windows
2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2
/
workers2.properties issue. But I'm
fwiw,
windows server 2003 standard edition
j2sdk 1.4.2
jakarta-tomcat-4.1.27-LE-jdk14 zip (not exe)
http://localhost:8080/examples/jsp/num/numguess.jsp%20 problem appeared in
opera 7.11
viewed page in ie 6 and got 404
subsequently got 404 in opera
flicked around other samples in opera and saw
provide a site where it DOES happen so you guys
can see what is happening.
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I
List'
Subject: RE: security hole on windows tomcat?
can you turn on debug for the defaultservlet - set it to 99
in conf/web.xml
and post the log.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:39 PM
To: Tomcat Users List
sorry, I overlooked where you mentioned it was the default install.
please post a link
Charlie
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
did you
Can't replicate your problem, tried both linux and win2k
Version of tomcat is the same as yours.
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat
Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Ok guys,
What could I have turned on that would have allowed this bug
to happen?
I can make it happen in both tomcat
can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml
and post the log.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:39 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Nope
PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Ok guys,
What could I have turned on that would have allowed this bug
to happen?
I can make it happen in both tomcat and tomcat through apache. (Most
recent of both) I can provide
is happening.
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have
Charlie,
How do you fix this within apache?
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:15 AM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
do you have apache on the front end and are you only
[mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have this problem 4.1.24 on Win2k
Charlie
-Original
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
: Re: security hole on windows tomcat?
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when
running tomcat.
I'm not sure how widespread it is, but my linux server is
safe, yet my
sorry, that should be http://localhost:8080/john/test.jsp%20 = 404
No Apache is involved.
John
John Turner wrote:
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
, 2003 13:28
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Interesting.
WinXP
Tomcat 4.1.24
http://localhost:8080/examples/jsp/num/numguess.jsp%20
I get the source.
-e
On Mon, 11 Aug 2003, John Turner wrote:
Let's see the Tomcat-only link.
John
Angus Mezick wrote
11, 2003 12:40 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
can you turn on debug for the defaultservlet - set it to 99
in conf/web.xml
and post the log.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday
I also cannot see this on Windows 2000, or on NetWare, using Tomcat
4.1.18, 4.1.24, or 4.1.26. On NetWare I tried going through Apache and
through 8080, on Windows port 8080.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
43 matches
Mail list logo