You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Remy Maucherat <re...@apache.org> on 2001/04/02 19:16:25 UTC

Re: CHINANSL Security Advisory(CSA-200108)

> ----------
> From: Stian Myhre <ni...@ONLINE.NO>
> Reply-To: Stian Myhre <ni...@ONLINE.NO>
> Date: Mon, 2 Apr 2001 11:54:52 +0200
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: CHINANSL Security Advisory(CSA-200108)
>
> Hi all.
>
> It is possible not only to get the listing
> but also the files.
> If you use replace the last / with %5c it will
> give you the file.
>
> example:
> > http://target:8080/%2e%2e/%2e%2e%5cyourfilehere%00.jsp

Did you try it ? I can't reproduce that one. It was probably a pre b2
problem.

Remy