Hi, also CVE-2008-5515 is now disclosed:
Information Disclosure CVE-2008-5515 When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. tomcat6: This was fixed in revision 734734[1]. tomcat5: This was fixed in revision 782757[2] and revision 783291[3]. [1] http://svn.apache.org/viewvc?view=rev&revision=734734 [2] http://svn.apache.org/viewvc?view=rev&revision=782757 [3] http://svn.apache.org/viewvc?view=rev&revision=783291
signature.asc
Description: OpenPGP digital signature
