I tried to test this security vulnerability on my tomcat 4.0.4 (alone) setup but wasn't able to view my JSP files as claimed. According to http://online.securityfocus.com/archive/1/292936/2002-09-21/2002-09-27/0, if my JSP file is accessible via http://donor.ucsd.edu:7873/ccdb/experiment/index.jsp then I should be able to view my source. However, I tried 2 different URL (http://donor.ucsd.edu:7873/ccdb/experiment/org.apache.catalina.servlets.Default Servlet/index.jsp and http://donor.ucsd.edu:7873/org.apache.catalina.servlets.DefaultServlet/ccdb/expe riment/index.jsp) and all I got was a tomcat 404 error page. Has anyone actually been able to view their JSP source via this vulnerability? Mona
================================================================== Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ "The truth shall set you free, but first it will piss you off" A Landmark instructor ================================================================== -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>