[24824] in bugtraq
re: Tomcat Security Exposure
daemon@ATHENA.MIT.EDU (Adam Manock)
Mon Mar 25 18:44:37 2002
Message-Id: <5.1.0.14.2.20020325072608.02315020@pop.earthlink.net>
Date: Mon, 25 Mar 2002 07:28:54 -0500
To: bugtraq@securityfocus.com
From: Adam Manock <abmanock@earthlink.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
From the Tomcat-user list, anyone know any more?
>During development and deployment I discovered
>that many types of errors while reading the web.xml
>file would result in the app coming up (at least
>partly), but with no security.
>
>This seems like a serious security exposure in
>a production environment.
>
>I believe this is potentially a serious security
>exposure and suggest that tomcat should never
>allow access to the app if it has any problems
>reading the web.xml file or establishing any of
>the security environment.
>
>Frank Lawlor
>Athens Group, Inc.
>(512) 345-0600 x151
>Athens Group, an employee-owned consulting firm integrating technology
>strategy and software solutions.
Adam
