Hi, The vulnerability was reported for 4.0.3. That's not the same as only affecting 4.0.3 ;) 4.0.6 and later, including 4.1.x, 5.0.x, and 5.5.x, should be fine. I think 3.3.x is fine as well.
This is a trivial vulnerability to test: ask the server for a resource that does not exist, and look at the contents of the 404 error page. This is also a trivial vulnerability to work around if you absolutely cannot change server versions: put in a custom 404 error page with whatever content you want. Yoav --- Vineet Bhatia <[EMAIL PROTECTED]> wrote: > Hello, > > One of our customers running Apache Tomcat version 4.1.29 ran some type > of a vulnerability scanner which detected an "Apache Tomcat Web Root > Path Disclosure Vulnerability". Did some research on the net and many > sites mentioned that this vulnerability only affected 4.0.3. But I want > to get confirmation from this forum. Thanks. > > > > Vineet Bhatia > Technical Support Engineering > <http://www.mailfrontier.com/> MailFrontier, Inc. > http://www.MailFrontier.com > ________________________________ > > Please leave original e-mail in place when replying. > > Yoav Shapira System Design and Management Fellow MIT Sloan School of Management Cambridge, MA, USA [EMAIL PROTECTED] / www.yoavshapira.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
