-Dsun.io.useCanonCaches=false
Can you try it and see if that fixe the problem (I don't have a winXX)?
-- Jeanfrancois
Jeff Tulley wrote:
The user list has been busy lately discussing a possible security hole, but only 1/3 of the people in the thread could see the problem. I finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2, but NOT with JVM 1.4.1.
The vulnerability is that if you stick a "%20" on the end of a .jsp url, you get the source.
I forgot to mention the platforms where this has been seen. I have
seen this with Sun's JVM 1.4.2 on Windows XP, and now I just verified
that it also exists on NetWare's JVM 1.4.2 (built on Sun's source code
base, so not surprising) It might exist on other 1.4.2 implementations,
but I am not sure.
I also just verified this on Tomcat 4.1.18 and 4.1.26 as well.
For some reason I see it better with the example jsp's - /examples/jsp/num/numbguess.jsp%20 for instance. But, you can tell the problem is going to be there if, when you add the "%20" to the .jsp name, you don't get a 404. This is all going directly to port 8080, so no native connector is involved.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]