You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Remy Maucherat <re...@apache.org> on 2002/03/07 02:58:35 UTC

[SECURITY] More information on Tomcat 4.0.3

After additional review, it has been discovered that the security bug fixed
in Tomcat 4.0.3 was more severe than originally though, and can be used to
remotely browse the server filesystem.

To exploit this bug, an attacker would require that some user modifiable
data (like a form POST data, or a URL) is directly used by a servlet or JSP
in a request dispatcher forward or include.

It can be hard to determine if an installation of Tomcat is vulnerable to
this exploit, as it depends on the web applications installed.
IMPORTANT NOTE: The default Tomcat installation is NOT vulnerable to this
bug.

Because of this, it is HIGHLY recommended that all Tomcat 4.0.x users
either:
- Apply the binary patch which is available at
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi
x/ Note: This particular patch can be applied on all official 4.0.x releases
(including 4.0, 4.0.1 and 4.0.2).
- Upgrade to Tomcat 4.0.3.
- Upgrade to Tomcat 4.0.4 Beta 1.

Bugzilla report on this problem:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772

Remy


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: [SECURITY] More information on Tomcat 4.0.3

Posted by Richard Murphy <rm...@hbs.edu>.

Heads up Tomcatters ...

Richard

Remy Maucherat wrote:

> After additional review, it has been discovered that the security bug fixed
> in Tomcat 4.0.3 was more severe than originally though, and can be used to
> remotely browse the server filesystem.
>
> To exploit this bug, an attacker would require that some user modifiable
> data (like a form POST data, or a URL) is directly used by a servlet or JSP
> in a request dispatcher forward or include.
>
> It can be hard to determine if an installation of Tomcat is vulnerable to
> this exploit, as it depends on the web applications installed.
> IMPORTANT NOTE: The default Tomcat installation is NOT vulnerable to this
> bug.
>
> Because of this, it is HIGHLY recommended that all Tomcat 4.0.x users
> either:
> - Apply the binary patch which is available at
> http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi
> x/ Note: This particular patch can be applied on all official 4.0.x releases
> (including 4.0, 4.0.1 and 4.0.2).
> - Upgrade to Tomcat 4.0.3.
> - Upgrade to Tomcat 4.0.4 Beta 1.
>
> Bugzilla report on this problem:
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772
>
> Remy
>
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>