Re: [Fwd: Re: Tomcat 5.5.23 Question]

[Laura McCord <mc...@southwestern.edu>]

So, since we are using Tomcat as a standalone then this would apply, right?

Thanks,
 Laura



Rui Monteiro wrote:
> And just in case! It desn't seem to apply in case you don't have
> Apache Server + Apache Tomcat through connector.
>
> -------- Mensaje original --------
>
> Supposing the security vulnerability to be true as it seems (but i
> didn't check) means first of all that if you don't have the Tomcat
> Manager Aplication working and you don't have more than one web
> aplication or at least you don't have any other application proxified
> then you don't have to worry.
>
> Anyway you can run tomcat 5.5 with java 1.4 but it needs configuration.
>
> Hope it helps.
>
> Laura McCord escribió:
>> I currently have Tomcat 5.0.28 installed and we received a security
>> vulnerability notice pertaining to a "Apache Tomcat Directory
>> Traversal".
>> http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0167.html
>>
>> We were thinking about upgrading to version 5.5.23 but is it true that
>> we would have to upgrade our java installation from 1.4 to java 5?
>>
>> Also, if anyone is familiar with this security vulnerability can you
>> please explain what this means?
>>
>> Thanks.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>   
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [Fwd: Re: Tomcat 5.5.23 Question]

[Mark Thomas <ma...@apache.org>]

Laura McCord wrote:
> So, since we are using Tomcat as a standalone then this would apply, right?

On standalone Tomcat this is not an issue since there is no proxy.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [Fwd: Re: Tomcat 5.5.23 Question]

[Rashmi Rubdi <ra...@gmail.com>]

I tried to replicate the vulnerability on my site, but I couldn't
really traverse the directory tree in the way they've indicated, so I
can't really confirm whether there's a vulnerability or not.

-Rashmi

On 4/10/07, Laura McCord <mc...@southwestern.edu> wrote:
> However, we do have another
> installation on a different server that an administrator uses to
> upload/modify existing web applications. This installation in particular
> only uses the tomcat standalone. So, I am figuring this tomcat server
> needs to be upgraded and any other server that makes the tomcat manager
> accessible.
>
> Thanks,
>  Laura

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [Fwd: Re: Tomcat 5.5.23 Question]

[Laura McCord <mc...@southwestern.edu>]

I have multiple installations of Tomcat on various servers. One in
particular is our portal server that does not have the tomcat manager
accessible so it should be fine. However, we do have another
installation on a different server that an administrator uses to
upload/modify existing web applications. This installation in particular
only uses the tomcat standalone. So, I am figuring this tomcat server
needs to be upgraded and any other server that makes the tomcat manager
accessible.

Thanks,
 Laura

Rashmi Rubdi wrote:
> You may want to double-check with the people who wrote the report,
> just to be sure.
>
> I have a small site hosted on Tomcat 5.5.9 and I think the host
> provider is using Apache connector --- my site often crashes and shuts
> down and I sometimes see the directory structure. But it might not be
> because of security vulnerability. I think it's probably because the
> hosting provider shuts it down because it's very low cost. And its a
> bit PITA to manually switch-off directory listing. Also even without
> the vulnerability anyone can still access the manager app by using the
> default URL, I should probably get it disabled.
>
> -Rashmi
>
> On 4/10/07, Laura McCord <mc...@southwestern.edu> wrote:
>> So, since we are using Tomcat as a standalone then this would apply,
>> right?
>>
>> Thanks,
>>  Laura
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [Fwd: Re: Tomcat 5.5.23 Question]

[Rashmi Rubdi <ra...@gmail.com>]

You may want to double-check with the people who wrote the report,
just to be sure.

I have a small site hosted on Tomcat 5.5.9 and I think the host
provider is using Apache connector --- my site often crashes and shuts
down and I sometimes see the directory structure. But it might not be
because of security vulnerability. I think it's probably because the
hosting provider shuts it down because it's very low cost. And its a
bit PITA to manually switch-off directory listing. Also even without
the vulnerability anyone can still access the manager app by using the
default URL, I should probably get it disabled.

-Rashmi

On 4/10/07, Laura McCord <mc...@southwestern.edu> wrote:
> So, since we are using Tomcat as a standalone then this would apply, right?
>
> Thanks,
>  Laura

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org