You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Vineet Bhatia <vb...@mailfrontier.com> on 2005/10/17 23:42:17 UTC

Apache Tomcat Web Root Path Disclosure Vulnerability

Hello,

One of our customers running Apache Tomcat version 4.1.29 ran some type
of a vulnerability scanner which detected an "Apache Tomcat Web Root
Path Disclosure Vulnerability". Did some research on the net and many
sites mentioned that this vulnerability only affected 4.0.3. But I want
to get confirmation from this forum. Thanks.

 
  
Vineet Bhatia
Technical Support Engineering
	  <http://www.mailfrontier.com/> 	 MailFrontier, Inc.
http://www.MailFrontier.com	
________________________________

Please leave original e-mail in place when replying.

Re: Apache Tomcat Web Root Path Disclosure Vulnerability

Posted by Yoav Shapira <yo...@apache.org>.

Hi,
The vulnerability was reported for 4.0.3.  That's not the same as only
affecting 4.0.3 ;)  4.0.6 and later, including 4.1.x, 5.0.x, and 5.5.x, should
be fine.  I think 3.3.x is fine as well.

This is a trivial vulnerability to test: ask the server for a resource that
does not exist, and look at the contents of the 404 error page.

This is also a trivial vulnerability to work around if you absolutely cannot
change server versions: put in a custom 404 error page with whatever content
you want.

Yoav

--- Vineet Bhatia <vb...@mailfrontier.com> wrote:

> Hello,
> 
> One of our customers running Apache Tomcat version 4.1.29 ran some type
> of a vulnerability scanner which detected an "Apache Tomcat Web Root
> Path Disclosure Vulnerability". Did some research on the net and many
> sites mentioned that this vulnerability only affected 4.0.3. But I want
> to get confirmation from this forum. Thanks.
> 
>  
>   
> Vineet Bhatia
> Technical Support Engineering
> 	  <http://www.mailfrontier.com/> 	 MailFrontier, Inc.
> http://www.MailFrontier.com	
> ________________________________
> 
> Please leave original e-mail in place when replying.	
>  
> 

Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org