You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by BugRat Mail System <to...@cortexity.com> on 2001/01/11 18:10:38 UTC
BugRat Report #744 has been filed.
Bug report #744 has just been filed.
You can view the report at the following URL:
<http://znutar.cortexity.com/BugRatViewer/ShowReport/744>
REPORT #744 Details.
Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: serious
Confidence: confidential
Environment:
Release: 3.2.1
JVM Release: 1.2.2.04
Operating System: HPUX
OS Release: 11
Platform: PA-RISC
Synopsis:
security hole - can download jsp page source code
Description:
When tomcat 3.2.1 is running in stand-alone mode, simply using telnet to connect to it and issuing "GET /path/file.jsp" downloads the raw source code for the file.
If the command sent is "GET /path/file.jsp HTTP 1.0" then
the page is correctly *run* and the *results* are sent back.