Re: CHINANSL Security Advisory(CSA-200105)

[Jon Stevens <jo...@latchkey.com>]

Dear "lovehacker",

Tomcat 3.0 is an old version and has several known security holes. That is
why we recommend that people run the latest released version which is
currently 3.1.1 or 3.2.1 (depending on the branch you are interested).

Also, Tomcat 3.2.2b2 is also available on our website which fixes the
recently announced cross site scripting issue.

I would appreciate it if you would test and report your security holes
against the released versions and not the old versions. I see no further
action necessary unless your hole is also present in the current code base
(I suspect that it isn't).

I also may have missed your posting, but giving advance notice to
security@apache.org and/or tomcat-dev@jakarta.apache.org would be more
appropriate than posting to bugtraq first.

thanks,

Jon S. Stevens
jon@apache.org
ASF Member
PMC Member - Jakarta Group

-- 
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/ymtd/ymtd.html>

on 3/27/01 10:40 PM, "lovehacker" <lo...@263.NET> wrote:

> Topic:
> Tomcat 3.0 for win2000 Directory traversal
> Vulnerability
> 
> vulnerable:
> Tomcat 3.0 for win2000
> maybe for other operating system also.
> 
> discussion:
> A security vulnerability has been found in Windows
> NT/2000 systems that have Tomcat 3.0 installed.The
> vulnerability allows remote attackers to access files
> outside the document root directory scope.
> 
> exploits:
> http://target:8080/../../winnt/win.ini%
> 00examples/jsp/hello.jsp
> It is possible to cause the Tomcat server to send
> back the content of win.ini.
> 
> solution:
> None
> 
> Copyright 2000-2001 CHINANSL. All Rights
> Reserved. Terms of use.
> 
> CHINANSL Security Team
> <lo...@chinansl.com>
> CHINANSL INFORMATION TECHNOLOGY CO.,LTD
> (http://www.chinansl.com)