You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by William Brogden <wb...@bga.com> on 2000/10/12 14:59:49 UTC

JSP security article

Here is an interesting article on server security:
http://www.builder.com/Servers/SecurityIssues/100400/?tag=st.bl.3880.linksgp

Tomcat is not mentioned - I wonder if it is vulnerable to these
exploits?

-- 
WBB - wbrogden@bga.com  Chief Scientist, LANWrights, Inc.
Java Programmer Certification information and mock exam
at  http://www.lanw.com/java/javacert/

Re: JSP security article

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

William Brogden wrote:

> Here is an interesting article on server security:
> http://www.builder.com/Servers/SecurityIssues/100400/?tag=st.bl.3880.linksgp
>
> Tomcat is not mentioned - I wonder if it is vulnerable to these
> exploits?
>

When the original Foundstone report came out about this bug (several
months
ago), Tomcat was corrected.  I believe that was prior to 3.1 final, but
I'm not
positive -- I know that it has been corrected in 3.2 and 4.0.

Note that this vulnerability will only occur on a server platform that
does
*not* use case sensitive filenames.  On a Linux box, for example, asking
for
"date.JSP" when the real file is "date.jsp" will simply return "file not
found".

>
> --
> WBB - wbrogden@bga.com  Chief Scientist, LANWrights, Inc.
> Java Programmer Certification information and mock exam
> at  http://www.lanw.com/java/javacert/

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat