Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: tomcat1.htm

Jakarta Tomcat retrieve arbitrary files

    Jakarta Tomcat


    Apache project: Jakarta Tomcat


    Jan Madsen found  following.  The  Apache project: Jakarta  Tomcat
    contains a serius security bug.  Tomcat is used together with  the
    Apache web server  to serve Java  Server Pages and  Java servlets.
    Summary from the Tomcat development team advisory is posted below.

    Delivered with Tomcat is  an example (jsp/source.jsp) that  can be
    used to deliver the contents of any file on your machine.


    The simplest  course of  action is  to simply  remove this example
    from your machine.  Alternatively, you can replace the  associated
    ShowSource.class file with one from the current 3.1 beta.

    Fixes have been made to the  core of Tomcat to not allow  any file
    references to be  resolved outside of  the context being  used for
    the  resolution.   Additionally,  a   change  has  been  made   to to disallow any requests which contain the  string

    The  3.1  beta  1  release  has  been  refreshed  with these fixes

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH