Bugtraq mailing list archives

Re: Tomcat 4.1 real path disclosure

From: Joe Testa <jtesta () rapid7 com>
Date: Fri, 19 Apr 2002 14:52:12 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It appears as though Tomcat v3.2.3 is not vulnerable:


GET /+/index.jsp HTTP/1.0
- -------------------------
Not Found (404)
Original request: /+/index.jsp
Not found request: /+/index.jsp


GET />/index.jsp HTTP/1.0
- -------------------------
Not Found (404)
Original request:</b> /&gt;/index.jsp
Not found request:</b> /&gt;/index.jsp


GET /</index.jsp HTTP/1.0
- -------------------------
Not Found (404)
Original request: /&lt;/index.jsp
Not found request: /&lt;/index.jsp


GET /%20/index.jsp HTTP/1.0
- -------------------------
Not Found (404)
Original request: /%20/index.jsp
Not found request: /%20/index.jsp



  - Joe Testa



NeXpose: the only expert-system based network vulnerability
scanner with less than 1% false positives: http://www.rapid7.com/

GPG key:  http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
A22B 2683 C40E 5443 AE52  AD6D 65B2 F5DF 4B11 06B4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8wGbHZbL130sRBrQRAkGMAJ9fDpuPNn+GiGHXg7Xkmrg61VVCDwCeO0z+
rgjmj5/3k580whGTDaY1/BI=
=Xg2V
-----END PGP SIGNATURE-----

Current thread:

Tomcat 4.1 real path disclosure Wang Yun (Apr 19)
- Re: Tomcat 4.1 real path disclosure Joe Testa (Apr 19)
- Re: Tomcat 4.1 real path disclosure Ian Darwin (Apr 19)