It is definately reproducable on his sytem, but he is on a secured connection.
It does not happen on mine. The only variable that we know of is the JRE. --- Mark Thomas <[EMAIL PROTECTED]> wrote: > I can't reproduce it either. I am using the latest 4.1.x from > CVS but I > am 100% certain there have been no changes that would relate > to this > since 4.1.30. > > On a related topic, security bugs should be reported privately > by email > to [EMAIL PROTECTED] > > If this had been a real issue it would have been nice to be > able to get > the patch out there before it was announced on a public list > ;) > > Mark > > Mike Curwen wrote: > > hmm.. that would be _this_ old chestnut... (a little eager > on the send, > > sorry.) > > > > http://shh.thathost.com/secadv/2001-03-29-tomcat.txt > > > > This particular exploit was fixed a long time ago (wasn't > it?) > > > > > > Mike Curwen > > > > > >>-----Original Message----- > >>From: Norris Shelton [mailto:[EMAIL PROTECTED] > >>Sent: Wednesday, February 16, 2005 9:27 AM > >>To: Tomcat > >>Subject: percent 0008 exploit > >> > >> > >>A co-worker that supports a federal sight just got an e-mail > > >>from their admins indicating that his site is exposing jsp > >>source code when they appent %0008 to the end of their > URLs. > >>The view source shows his exact pages. > >> > >>He is using Tomcat 4.1.30 and JDK 1.4.2_05 > >> > >>I tired it on my servers (TC 4.1.30 and JDK 1.4.2_06). Is > >>this a JRE vulnerability? > >> > >>===== > >> > >>Norris Shelton > >>Software Engineer > >>Sun Certified Java 1.1 Programmer > >>Appriss, Inc. > >>ICQ# 26487421 > >>AIM NorrisEShelton > >>YIM norrisshelton > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > ===== Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
