30th Jan 2003 [SBWID-5957]
COMMAND
	Tomcat information exposure and cross site scripting
SYSTEMS AFFECTED
	Tomcat version 3.x.
PROBLEM
	In Debian Security Advisory [DSA 246-1] :
	
	 http://www.debian.org/security/
	
	The  Common  Vulnerabilities  and  Exposures  project   identifies   the
	following problems:
	 . CAN-2003-0042: A maliciously crafted request could return a
	   directory listing even when an index.html, index.jsp, or other
	   welcome file is present.  File contents can be returned as well.
	 . CAN-2003-0043: A malicious web application could read the contents
	   of some files outside the web application via its web.xml file in
	   spite of the presence of a security manager.  The content of files
	   that can be read as part of an XML document would be accessible.
	 . CAN-2003-0044: A cross-site scripting vulnerability was discovered
	   in the included sample web application that allows remote attackers
	   to execute arbitrary script code.
SOLUTION
	For the stable distribution (woody)  this  problem  has  been  fixed  in
	version 3.3a-4.1.
	The old stable distribution (potato) does not contain tomcat packages.
	For the unstable distribution (sid)  this  problem  has  been  fixed  in
	version 3.3.1a-1.