I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.

I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:

http://192.168.1.54:8080/index.jsp <shows page as expected>
http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>

So how widespread is this?

Paul Sundling


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)