You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Asaf Barkan <as...@mercury.co.il> on 2003/08/24 17:04:23 UTC
security hole on windows/ Tomcat with JRE 1.4.2 (b28)
The syndrome is that when typing:
http://myurl:8080/myfile.jsp%20
http://myurl:8080/myfile.jsp%20
The JSP code is delivered to the client.
I have checked this on the followed platforms:
Win2k server (SP3)
JRE 1.4.2 (b28)
IIS 5/Tomcat HTTP 1.1 connector
It works but it is not consistent (could be some race case).
BTW I have tried this on 1.4.2 (b2) and I could not compromise this hole.
I have encountered a discussion on a similar issue with a recommendation to
add the following argument to the Tomcat string:
-Dsun.io.useCanonCaches=false
I have tried this and it solved the problem.
Can some tell me whether there are other solutions and what this parameter
means ?
Thanks a lot
________________________________________________________________________
This email has been scanned for all viruses.
Mercury Interactive Corporation
Optimizing Business Processes to Maximize Business Results
http://www.merc-int.com
________________________________________________________________________
Re: security hole on windows/ Tomcat with JRE 1.4.2 (b28)
Posted by Tim Funk <fu...@joedog.org>.
Search the archives - I think this a JDK 1.4.2 related bug.
-Tim
Asaf Barkan wrote:
>
>
> The syndrome is that when typing:
> http://myurl:8080/myfile.jsp%20
> http://myurl:8080/myfile.jsp%20
>
> The JSP code is delivered to the client.
>
> I have checked this on the followed platforms:
> Win2k server (SP3)
> JRE 1.4.2 (b28)
> IIS 5/Tomcat HTTP 1.1 connector
>
> It works but it is not consistent (could be some race case).
> BTW I have tried this on 1.4.2 (b2) and I could not compromise this hole.
>
> I have encountered a discussion on a similar issue with a recommendation to
> add the following argument to the Tomcat string:
> -Dsun.io.useCanonCaches=false
>
> I have tried this and it solved the problem.
>
> Can some tell me whether there are other solutions and what this parameter
> means ?
>
> Thanks a lot
>
>
>
> ________________________________________________________________________
> This email has been scanned for all viruses.
>
> Mercury Interactive Corporation
> Optimizing Business Processes to Maximize Business Results
>
> http://www.merc-int.com
> ________________________________________________________________________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>