I did some experimenting with tomcat 3.3.1. It appears to restrict access to any directory that starts with the sequence "WEB-INF". Appending a period, or any other character for that matter, does not get around this security check. Which would mean that Tomcat is not vulnerable to this particular exploit.
-----Original Message----- From: George McKinney Sent: Friday, July 05, 2002 12:29 PM To: 'tomcat user list' Subject: Is Tomcat vulnerable to this exploit? On jGuru, I saw mention of this vulnerability of some webapp containers: http://www.westpoint.ltd.uk/advisories/wp-02-0002.txt It doesn't mention any Tomcat versions. Can anyone tell me if Tomcat is NOT vulnerable to this one? Thanks, George McKinney -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
