I've been trying to reproduce this using 3.2.1 on Win2000 (as the original
reported stated) and so far I can't make it happen. In all cases I get a
404.
I get the same results using 3.2.2b2.
> -----Original Message-----
> From: Jon Stevens [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 02, 2001 1:04 PM
> To: tomcat-dev
> Subject: FW: CHINANSL Security Advisory(CSA-200108)
>
>
>
> ----------
> From: Stian Myhre <[EMAIL PROTECTED]>
> Reply-To: Stian Myhre <[EMAIL PROTECTED]>
> Date: Mon, 2 Apr 2001 11:54:52 +0200
> To: [EMAIL PROTECTED]
> Subject: Re: CHINANSL Security Advisory(CSA-200108)
>
> Hi all.
>
> It is possible not only to get the listing
> but also the files.
> If you use replace the last / with %5c it will
> give you the file.
>
> example:
> > http://target:8080/%2e%2e/%2e%2e%5cyourfilehere%00.jsp
>
> -Njack
