You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Vineet Bhatia <vb...@mailfrontier.com> on 2005/10/17 23:42:17 UTC
Apache Tomcat Web Root Path Disclosure Vulnerability
Hello,
One of our customers running Apache Tomcat version 4.1.29 ran some type
of a vulnerability scanner which detected an "Apache Tomcat Web Root
Path Disclosure Vulnerability". Did some research on the net and many
sites mentioned that this vulnerability only affected 4.0.3. But I want
to get confirmation from this forum. Thanks.
Vineet Bhatia
Technical Support Engineering
<http://www.mailfrontier.com/> MailFrontier, Inc.
http://www.MailFrontier.com
________________________________
Please leave original e-mail in place when replying.
Re: Apache Tomcat Web Root Path Disclosure Vulnerability
Posted by Yoav Shapira <yo...@apache.org>.
Hi,
The vulnerability was reported for 4.0.3. That's not the same as only
affecting 4.0.3 ;) 4.0.6 and later, including 4.1.x, 5.0.x, and 5.5.x, should
be fine. I think 3.3.x is fine as well.
This is a trivial vulnerability to test: ask the server for a resource that
does not exist, and look at the contents of the 404 error page.
This is also a trivial vulnerability to work around if you absolutely cannot
change server versions: put in a custom 404 error page with whatever content
you want.
Yoav
--- Vineet Bhatia <vb...@mailfrontier.com> wrote:
> Hello,
>
> One of our customers running Apache Tomcat version 4.1.29 ran some type
> of a vulnerability scanner which detected an "Apache Tomcat Web Root
> Path Disclosure Vulnerability". Did some research on the net and many
> sites mentioned that this vulnerability only affected 4.0.3. But I want
> to get confirmation from this forum. Thanks.
>
>
>
> Vineet Bhatia
> Technical Support Engineering
> <http://www.mailfrontier.com/> MailFrontier, Inc.
> http://www.MailFrontier.com
> ________________________________
>
> Please leave original e-mail in place when replying.
>
>
Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org