After additional review, it has been discovered that the security bug fixed in Tomcat 4.0.3 was more severe than originally though, and can be used to remotely browse the server filesystem.
To exploit this bug, an attacker would require that some user modifiable data (like a form POST data, or a URL) is directly used by a servlet or JSP in a request dispatcher forward or include. It can be hard to determine if an installation of Tomcat is vulnerable to this exploit, as it depends on the web applications installed. IMPORTANT NOTE: The default Tomcat installation is NOT vulnerable to this bug. Because of this, it is HIGHLY recommended that all Tomcat 4.0.x users either: - Apply the binary patch which is available at http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi x/ Note: This particular patch can be applied on all official 4.0.x releases (including 4.0, 4.0.1 and 4.0.2). - Upgrade to Tomcat 4.0.3. - Upgrade to Tomcat 4.0.4 Beta 1. Bugzilla report on this problem: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772 Remy -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
