You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by BugRat Mail System <to...@cortexity.com> on 2001/01/11 18:10:38 UTC

BugRat Report #744 has been filed.

Bug report #744 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com/BugRatViewer/ShowReport/744>

REPORT #744 Details.

Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: serious
Confidence: confidential
Environment: 
   Release: 3.2.1
   JVM Release: 1.2.2.04
   Operating System: HPUX
   OS Release: 11
   Platform: PA-RISC

Synopsis: 
security hole - can download jsp page source code

Description:
When tomcat 3.2.1 is running in stand-alone mode, simply using telnet to connect to it and issuing "GET /path/file.jsp" downloads the raw source code for the file.

If the command sent is "GET /path/file.jsp HTTP 1.0" then
the page is correctly *run* and the *results* are sent back.