We've been looking for (and finding ) vulnerabilities in various servlet engines. A common theme is that they all use lexical analysis of a request string to determine if a request should be blocked (say because it accesses WEB-INFO or goes outside the web root). Why have container authors not chosen to use the java security mechanism to restrict file access?
URL: http://www.westpoint.ltd.uk/ - internet recon. ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
