Hi. I'm using Jakarta Tomcat 3.2.2 with Apache 1.3.20 / mod_jk (Linux) and I have some security-related questions: 1) I've read 3.2.3 is the latest available version for 3.2.x branch and that it covers a security issue. What's about this security issue and where could I read more about this issue? Could it be the "2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability" (http://www.securityfocus.com/vdb/bottom.html?vid=2982)? 2) Is there any patch or is it planned a future release to cover the "2001-08-16: Jakarta Tomcat 3.2.1 Error Message Information Disclosure Vulnerability" issue? (http://www.securityfocus.com/vdb/bottom.html?vid=3199) 3) The following is a security issue I'm experiencing. It may be a configuration error made by myself or perhaps some bug? I need some help. Let's suppose you have a working .jsp page: http://www.foo.com/bar/home.jsp. Then if you use the following url the .jsp source is showed instead of beeing executed by Tomcat: http://www.foo.com/\bar/home.jsp. This is the way I'm using to mount the context (excerpt from mod_jk.conf file): Alias /bar /usr/local/tomcat/webapps/bar JkMount /bar/*.jsp ajp13 JkMount /bar/*.xml ajp13 JkMount /bar/servlet/* ajp13 <Location /bar/WEB-INF/ > AllowOverride None deny from all </Location> <Location "/bar/META-INF/"> AllowOverride None deny from all </Location> Am I missing something or the \ trick is a bug? Any workaround? Thanks in advance! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
