You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by BugRat Mail System <to...@cortexity.com> on 2001/01/02 05:52:11 UTC

BugRat Report #682 has been filed.

Bug report #682 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com/BugRatViewer/ShowReport/682>

REPORT #682 Details.

Project: Catalina
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: critical
Confidence: public
Environment: 
   Release: m5
   JVM Release: ANY
   Operating System: ANY
   OS Release: ANY
   Platform: ANY

Synopsis: 
Security Issue? Important attributes exposed by ServletContext can be modified

Description:
Hi:

  The attributes such as "org.apache.catalina.classloader", "org.apache.catalina.jsp_classpath" are exposed through ServletContext and can be easily modified. No security violation is generated and anybody with an application installed on the web server can modify these variables. Is n't it a security problem for Tomcat?

Thanks
-Ramesh