Environment
Business Service Manager 4.0
Business Service Manager 4.5
Situation
This TID explains is the sanity check against Managed Objects Tomcat version and further concludes that Manged Object's Tomcat version is not affected by directory traversal attacks.
Resolution
Directory Traversal attacks were introduced in Tomcat by using the allowlinking option with the coyote connector.
This option is not present in the version of tomcat Managed Objects is using (version 4.1.12).
The allowlinking option only affects Tomcat versions 5.5.0-5.5.26.
Additional Information
More information can be found at: http://tomcat.apache.org/security-5.html (look into Directory traversal section)
Tomcat provides an allowLinking attribute in the StandardContext to enable tomcat running on Linux platform to serve paths associated with the symbolic links. If the value of this attribute is true, symbolic links will be allowed inside the web application, pointing to resources outside the web application base path. Default value is false.