Loading
Netsparker, Web Application Security Scanner

XSS, Cross Site Scripting, Javascript Injection, member.rodale.com, CWE-79, CAPEC-86

Netsparker - Scan Report Summary
TARGET URL
 https://member.rodale.com/cas/login?service=h...
SCAN DATE
 3/10/2011 4:28:35 PM
REPORT DATE
 3/10/2011 4:30:23 PM
SCAN DURATION
 00:00:14

Total Requests

Average Speed

req/sec.
6
identified
3
confirmed
0
critical
2
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
17 %
LOW
50 %
INFORMATION
33 %
Cross-site Scripting

Cross-site Scripting

1 TOTAL
IMPORTANT
CONFIRMED
1
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /cas/login

/cas/login CONFIRMED

https://member.rodale.com/cas/login?'"--></style></script><script>alert(0x000498)</script>

Parameters

Parameter Type Value
service GET http://www.menshealth.com/cda/j_acegi_cas_security_check
Query Based QUERYSTRING '"--></style></script><script>alert(0x000498)</script>

Request

GET /cas/login?'"--></style></script><script>netsparker(0x000498)</script> HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: member.rodale.com
Cookie: JSESSIONID=489825E44EC7B5D7EBCF7678DCBEADCF
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Transfer-Encoding: chunked
Date: Thu, 10 Mar 2011 22:27:51 GMT





<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Rodale Central Authentication Service (CAS) Login</title>
<link rel="stylesheet" href="themes/prevention/pvnCasStyles.css" type="text/css"/ >


<script src='/cas/js/coremetrics/prevention/cmdatatagutils.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/prevention/v40/eluminate.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/prevention/v40/techprops.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/prevention/coremetrics.js' type="text/javascript" language="javascript"></script>
<script type="text/javascript" language="JavaScript">
function doCoremetrics() {
if(location.hostname=='member.rodale.com') {
cmSetProduction();
}
cmCreatePageviewTag("Members-Sign Up or Log In", "Members");
cmCreateConversionEventTag ("Member Log In","1","Members","0");
}

/*
* This function will throw the usual signin coremetrics tag and also
* throw in the registration tag as we are going to track signins
* as signups to account for converted users
*/
function executeSignInAndUpCM() {
cmCreateConversionEventTag("Member Log In","2","Members","0");
try{
var emailAttempted = document.getElementById("username").value;
if(emailAttempted!=null && emailAttempted!='')
{
cmCreateRegistrationTag(emailAttempted, emailAttempted, null, null, null);
}
}
catch(e)
{
//Ignore any exceptions in throwing registration tag on login
}

}
</script>
</head>

<body onload="doCoremetrics();">

<div id="wrapper">

<!-- START Header -->
<div id="header"><div id="inner"></div></div>



<!-- START Content -->
<div id="content">

<div id="inner">

<form method="post" action="login?'"--></style></script><script>netsparker(0x000498)</script>" class="loginFrm">

<!-- The following hidden field must be part of the submitted Form -->
<input type="hidden" name="lt" value="_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F" />
<!--
<input type="hidden" name="_eventId" value="submit" />
-->
<!--/p> -->

<!--
<div class="smallLinks floatRight margin5Top">
<a href="?lt=_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F&_eventId=createUser">Need Login? </a>
</div>
-->


<div class="boldBlackHeader">
Member Log In
</div>

<div class="loginInstructions">
Welcome to the Prevention.com Member Center. Please log in to access your Health Trackers, post on our forums, and take advantage of all our member benefits.
</div>

<!-- QC #7417


<div class="msgWrapper">

<span class="warningColor">
<strong class="noteText">
NOTE:
</strong>
</span>

We have recently upgraded our member registration system. Members who joined Prevention.com prior to April 3, 2008, will need to re-register their account.
</div>

-->

<!-- QC #7417
<div class="loginOptionText">
CHOOSE ONE OF THE FOLLOWING OPTIONS:
</div>
-->


<!-- START RE-REGISTER -->
<!--
<div class="loginOptions">

<div class="btnWrapper">
<a href="?lt=_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F&_eventId=convertGroupeeUser" alt="Re-Register" title="Re-Register">
please click here
<div class="btnReRegister">&#160;</div>
</a>
</div>

<div class="loginChoices">
<div class="registrationOption">
1. Not Yet Re-Registered Members
</div>
Members who joined prior to April 3, 2008 need to re-register their accounts
</div>

</div>
-->
<!-- END RE-REGISTER -->


<!-- START JOIN -->
<!-- QC #7417
<div class="loginOptions">
<div class="btnWrapper">

<a href="?lt=_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F&_eventId=createUser">
<div class="btnSignUp margin31Left"></div>
</a>
</div>
<div class="loginChoices">
<div class="registrationOption">
1. Become a Member
</div>
Not a Member? Join the Prevention.com Community now!
</div>

</div>
-->
<!-- END JOIN -->


<!-- START LOGIN -->
<div class="loginOptions">

<!-- QC #7417
THE following empty div tag fixes a layout issue occurring in IE browsers without adding extra space to layout
<div></div>

<div class="loginChoices">
<div class="registrationOption">
2. Registered Members
</div>
If you have already re-registered or became a new member after April 3, 2008, log in here
</div>
-->


<!-- Begin error message generating Server-Side tags -->



<!-- End error message generating Server-Side tags -->
<div class="loginDiv">
<p>
<label for="username" class="labelTxt"><strong>EMAIL:</strong></label>
<input id="username" name="username" size="32" tabindex="1" accesskey="n" title="Email" />
</p>
<p>
<label for="password" class="labelTxt"><strong>PASSWORD:</strong></label>
<input type="password" id="password" name="password" size="32" tabindex="2" accesskey="p" title="Password"/>
</p>
</div>
<!--p><input type="checkbox" id="warn" name="warn" value="false" tabindex="3" />
<span class="accesskey">W</span>arn me before logging me into other sites. -->

<!--p>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!</p> -->

<div>
<div class="btnWrapper">
<input type="image" name="_eventId_submit" onclick="executeSignInAndUpCM();" src="/cas/themes/prevention/images/btn_login.gif" class="margin31Left" />
</div>

<!-- RH : do not show -->
<div class="indent50 pad10Top">
<input type="checkbox" name="rememberMe" id="rememberMe" value="true" />

<label for="rememberMe"><strong>Keep me signed in</strong>&nbsp;for 30 days unless I sign out. <br />
</label>
</div>
<div class="indent64">
<label for="rememberMe">(Uncheck if on a shared computer)</label>
</div>


</div>

<div class="indent50 margin5Top">
<!--
<a href="?lt=_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F&_eventId=forgotUsername">Forgot Your Username?</a><br/ >
-->
<span class="smallLinks">
<a href="?lt=_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F&_eventId=lostPassword">Forgot Your Login?</a>
</span>

<div class="btnCancel">
<span class="smallLinks">
<a href="?lt=_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F&_eventId=cancel">
Cancel
</a>
</span>
</div>

<div class="clearFloats"></div>
</div>
</div>
<!-- END LOGIN -->




<div class="loginOptions">

<div class="btnWrapper">


<a href="?lt=_c89A72292-82BD-CF7C-480D-B2A264E5668E_k4C8E857B-CF0A-953F-D73F-19F17B18C00F&_eventId=createUser">
<div class="btnSignUp margin31Left"></div>
</a>



</div>
<div class="loginChoices">
Not a Member? Join the Prevention.com Community now!
</div>




</div>
</form>



<div class="helpMsg">
<strong>Need Help?</strong> &#160; Please see our <a href="http://www.prevention.com/cda/article/sso-faq-article/2f38d55ab3478110VgnVCM20000012281eac____/news.voices///" target="_new">Registration Frequently Asked Questions</a>.
</div>

</div>
</div>



<!-- START Footer -->
<div id="copyright">
Copyright © 2009 Rodale Inc. "Prevention," "Prevention.com," "Prevention Fitness Systems," and "Flat Belly Diet" are registered trademarks of Rodale Inc. All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Rodale Inc.
</div>



</div>
</body>
</html>

Auto Complete Enabled

Auto Complete Enabled

1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /cas/login

/cas/login CONFIRMED

https://member.rodale.com/cas/login?service=http%3A%2F%2Fwww.menshealth.com%2Fcda%2Fj_acegi_cas_secu..

Identified Field Name

password

Request

GET /cas/login?service=http%3A%2F%2Fwww.menshealth.com%2Fcda%2Fj_acegi_cas_security_check HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: member.rodale.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Set-Cookie: JSESSIONID=489825E44EC7B5D7EBCF7678DCBEADCF; Path=/cas; Secure
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Transfer-Encoding: chunked
Date: Thu, 10 Mar 2011 22:27:42 GMT





<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Rodale Central Authentication Service (CAS) Login</title>
<link rel="stylesheet" href="themes/mh/mhCasStyles.css" type="text/css"/ >


<script src='/cas/js/coremetrics/mh/cmdatatagutils.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/mh/v40/eluminate.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/mh/v40/techprops.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/mh/coremetrics.js' type="text/javascript" language="javascript"></script>
<script type="text/javascript" language="JavaScript">
function doCoremetrics() {
if(location.hostname=='member.rodale.com') {
cmSetProduction();
}
cmCreatePageviewTag("Members-Sign Up or Log In", "Members");
cmCreateConversionEventTag ("Member Log In","1","Members","0");
}

/*
* This function will throw the usual signin coremetrics tag and also
* throw in the registration tag as we are going to track signins
* as signups to account for converted users
*/
function executeSignInAndUpCM() {
cmCreateConversionEventTag("Member Log In","2","Members","0");
try{
var emailAttempted = document.getElementById("username").value;
if(emailAttempted!=null && emailAttempted!='')
{
cmCreateRegistrationTag(emailAttempted, emailAttempted, null, null, null);
}
}
catch(e)
{
//Ignore any exceptions in throwing registration tag on login
}

}
</script>
</head>

<body onload="doCoremetrics();">

<div id="wrapper">

<!-- START Header -->
<div id="header"><div id="inner"></div></div>



<!-- START Content -->
<div id="content">

<div id="inner">

<form method="post" action="login;jsessionid=489825E44EC7B5D7EBCF7678DCBEADCF?service=http%3A%2F%2Fwww.menshealth.com%2Fcda%2Fj_acegi_cas_security_check" class="loginFrm">

<!-- The following hidden field must be part of the submitted Form -->
<input type="hidden" name="lt" value="_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9" />
<!--
<input type="hidden" name="_eventId" value="submit" />
-->
<!--/p> -->

<!--
<div class="smallLinks floatRight margin5Top">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=createUser">Need Login? </a>
</div>
-->


<div class="boldBlackHeader">
Member Log In
</div>

<div class="loginInstructions">
Welcome to the Men's Health Member Center. Please log in to post on our forums, and take advantage of all our member benefits.
</div>

<!-- QC #7417


<div class="msgWrapper">

<span class="warningColor">
<strong class="noteText">
NOTE:
</strong>
</span>

We have recently upgraded our member registration system. Members who joined MensHealth.com prior to August 25, 2008, will need to re-register their account.
</div>

-->

<!-- QC #7417
<div class="loginOptionText">
CHOOSE ONE OF THE FOLLOWING OPTIONS:
</div>
-->


<!-- START RE-REGISTER -->
<!--
<div class="loginOptions">

<div class="btnWrapper">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=convertGroupeeUser" alt="Re-Register" title="Re-Register">
please click here
<div class="btnReRegister">&#160;</div>
</a>
</div>

<div class="loginChoices">
<div class="registrationOption">
1. Not Yet Re-Registered Members
</div>
Members who joined prior to August 25, 2008 need to re-register their accounts
</div>

</div>
-->
<!-- END RE-REGISTER -->


<!-- START JOIN -->
<!-- QC #7417
<div class="loginOptions">
<div class="btnWrapper">

<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=createUser">
<div class="btnSignUp margin31Left"></div>
</a>
</div>
<div class="loginChoices">
<div class="registrationOption">
1. Become a Member
</div>
Not a Member? Sign up now - it's fast and free!
</div>

</div>
-->
<!-- END JOIN -->


<!-- START LOGIN -->
<div class="loginOptions">

<!-- QC #7417
THE following empty div tag fixes a layout issue occurring in IE browsers without adding extra space to layout
<div></div>

<div class="loginChoices">
<div class="registrationOption">
2. Registered Members
</div>
If you have already re-registered or became a new member after August 25, 2008, log in here
</div>
-->


<!-- Begin error message generating Server-Side tags -->



<!-- End error message generating Server-Side tags -->
<div class="loginDiv">
<p>
<label for="username" class="labelTxt"><strong>EMAIL:</strong></label>
<input id="username" name="username" size="32" tabindex="1" accesskey="n" title="Email" />
</p>
<p>
<label for="password" class="labelTxt"><strong>PASSWORD:</strong></label>
<input type="password" id="password" name="password" size="32" tabindex="2" accesskey="p" title="Password"/>
</p>
</div>
<!--p><input type="checkbox" id="warn" name="warn" value="false" tabindex="3" />
<span class="accesskey">W</span>arn me before logging me into other sites. -->

<!--p>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!</p> -->

<div>
<div class="btnWrapper">
<input type="image" name="_eventId_submit" onclick="executeSignInAndUpCM();" src="/cas/themes/mh/images/btn_login.gif" class="margin31Left" />
</div>

<!-- RH : do not show -->
<div class="indent50 pad10Top">
<input type="checkbox" name="rememberMe" id="rememberMe" value="true" />

<label for="rememberMe"><strong>Keep me signed in</strong>&nbsp;for 30 days unless I sign out. <br />
</label>
</div>
<div class="indent64">
<label for="rememberMe">(Uncheck if on a shared computer)</label>
</div>


</div>

<div class="indent50 margin5Top">
<!--
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=forgotUsername">Forgot Your Username?</a><br/ >
-->
<span class="smallLinks">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=lostPassword">Forgot Your Login?</a>
</span>

<div class="btnCancel">
<span class="smallLinks">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=cancel">
Cancel
</a>
</span>
</div>

<div class="clearFloats"></div>
</div>
</div>
<!-- END LOGIN -->




<div class="loginOptions">

<div class="btnWrapper">


<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=createUser">
<div class="btnSignUp margin31Left"></div>
</a>



</div>
<div class="loginChoices">
Not a Member? Sign up now - it's fast and free!
</div>




</div>
</form>



<div class="helpMsg">
<a href="http://www.menshealth.com/cda/article.do?site=MensHealth&channel=events.promotions&category=customer.service&conitem=926dc47c336eb110VgnVCM10000013281eac____" target="_new">Help!</a>
</div>

</div>
</div>



<!-- START Footer -->
<div id="copyright">
Copyright © 2009 Rodale Inc. "MensHealth.com" and "Men's Health" are registered trademarks of Rodale Inc. All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Rodale Inc.
</div>



</div>
</body>
</html>

Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly

1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /cas/login

/cas/login CONFIRMED

https://member.rodale.com/cas/login?service=http%3A%2F%2Fwww.menshealth.com%2Fcda%2Fj_acegi_cas_secu..

Identified Cookie

JSESSIONID

Request

GET /cas/login?service=http%3A%2F%2Fwww.menshealth.com%2Fcda%2Fj_acegi_cas_security_check HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: member.rodale.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Set-Cookie: JSESSIONID=489825E44EC7B5D7EBCF7678DCBEADCF; Path=/cas; Secure
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Transfer-Encoding: chunked
Date: Thu, 10 Mar 2011 22:27:42 GMT





<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Rodale Central Authentication Service (CAS) Login</title>
<link rel="stylesheet" href="themes/mh/mhCasStyles.css" type="text/css"/ >


<script src='/cas/js/coremetrics/mh/cmdatatagutils.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/mh/v40/eluminate.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/mh/v40/techprops.js' type="text/javascript" language="javascript"></script>
<script src='/cas/js/coremetrics/mh/coremetrics.js' type="text/javascript" language="javascript"></script>
<script type="text/javascript" language="JavaScript">
function doCoremetrics() {
if(location.hostname=='member.rodale.com') {
cmSetProduction();
}
cmCreatePageviewTag("Members-Sign Up or Log In", "Members");
cmCreateConversionEventTag ("Member Log In","1","Members","0");
}

/*
* This function will throw the usual signin coremetrics tag and also
* throw in the registration tag as we are going to track signins
* as signups to account for converted users
*/
function executeSignInAndUpCM() {
cmCreateConversionEventTag("Member Log In","2","Members","0");
try{
var emailAttempted = document.getElementById("username").value;
if(emailAttempted!=null && emailAttempted!='')
{
cmCreateRegistrationTag(emailAttempted, emailAttempted, null, null, null);
}
}
catch(e)
{
//Ignore any exceptions in throwing registration tag on login
}

}
</script>
</head>

<body onload="doCoremetrics();">

<div id="wrapper">

<!-- START Header -->
<div id="header"><div id="inner"></div></div>



<!-- START Content -->
<div id="content">

<div id="inner">

<form method="post" action="login;jsessionid=489825E44EC7B5D7EBCF7678DCBEADCF?service=http%3A%2F%2Fwww.menshealth.com%2Fcda%2Fj_acegi_cas_security_check" class="loginFrm">

<!-- The following hidden field must be part of the submitted Form -->
<input type="hidden" name="lt" value="_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9" />
<!--
<input type="hidden" name="_eventId" value="submit" />
-->
<!--/p> -->

<!--
<div class="smallLinks floatRight margin5Top">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=createUser">Need Login? </a>
</div>
-->


<div class="boldBlackHeader">
Member Log In
</div>

<div class="loginInstructions">
Welcome to the Men's Health Member Center. Please log in to post on our forums, and take advantage of all our member benefits.
</div>

<!-- QC #7417


<div class="msgWrapper">

<span class="warningColor">
<strong class="noteText">
NOTE:
</strong>
</span>

We have recently upgraded our member registration system. Members who joined MensHealth.com prior to August 25, 2008, will need to re-register their account.
</div>

-->

<!-- QC #7417
<div class="loginOptionText">
CHOOSE ONE OF THE FOLLOWING OPTIONS:
</div>
-->


<!-- START RE-REGISTER -->
<!--
<div class="loginOptions">

<div class="btnWrapper">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=convertGroupeeUser" alt="Re-Register" title="Re-Register">
please click here
<div class="btnReRegister">&#160;</div>
</a>
</div>

<div class="loginChoices">
<div class="registrationOption">
1. Not Yet Re-Registered Members
</div>
Members who joined prior to August 25, 2008 need to re-register their accounts
</div>

</div>
-->
<!-- END RE-REGISTER -->


<!-- START JOIN -->
<!-- QC #7417
<div class="loginOptions">
<div class="btnWrapper">

<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=createUser">
<div class="btnSignUp margin31Left"></div>
</a>
</div>
<div class="loginChoices">
<div class="registrationOption">
1. Become a Member
</div>
Not a Member? Sign up now - it's fast and free!
</div>

</div>
-->
<!-- END JOIN -->


<!-- START LOGIN -->
<div class="loginOptions">

<!-- QC #7417
THE following empty div tag fixes a layout issue occurring in IE browsers without adding extra space to layout
<div></div>

<div class="loginChoices">
<div class="registrationOption">
2. Registered Members
</div>
If you have already re-registered or became a new member after August 25, 2008, log in here
</div>
-->


<!-- Begin error message generating Server-Side tags -->



<!-- End error message generating Server-Side tags -->
<div class="loginDiv">
<p>
<label for="username" class="labelTxt"><strong>EMAIL:</strong></label>
<input id="username" name="username" size="32" tabindex="1" accesskey="n" title="Email" />
</p>
<p>
<label for="password" class="labelTxt"><strong>PASSWORD:</strong></label>
<input type="password" id="password" name="password" size="32" tabindex="2" accesskey="p" title="Password"/>
</p>
</div>
<!--p><input type="checkbox" id="warn" name="warn" value="false" tabindex="3" />
<span class="accesskey">W</span>arn me before logging me into other sites. -->

<!--p>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!</p> -->

<div>
<div class="btnWrapper">
<input type="image" name="_eventId_submit" onclick="executeSignInAndUpCM();" src="/cas/themes/mh/images/btn_login.gif" class="margin31Left" />
</div>

<!-- RH : do not show -->
<div class="indent50 pad10Top">
<input type="checkbox" name="rememberMe" id="rememberMe" value="true" />

<label for="rememberMe"><strong>Keep me signed in</strong>&nbsp;for 30 days unless I sign out. <br />
</label>
</div>
<div class="indent64">
<label for="rememberMe">(Uncheck if on a shared computer)</label>
</div>


</div>

<div class="indent50 margin5Top">
<!--
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=forgotUsername">Forgot Your Username?</a><br/ >
-->
<span class="smallLinks">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=lostPassword">Forgot Your Login?</a>
</span>

<div class="btnCancel">
<span class="smallLinks">
<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=cancel">
Cancel
</a>
</span>
</div>

<div class="clearFloats"></div>
</div>
</div>
<!-- END LOGIN -->




<div class="loginOptions">

<div class="btnWrapper">


<a href="?lt=_c8D2E33BC-A8CA-1F55-B398-7FF9071A10EC_k3D89C938-F623-DFF2-76E0-7A9B312571B9&_eventId=createUser">
<div class="btnSignUp margin31Left"></div>
</a>



</div>
<div class="loginChoices">
Not a Member? Sign up now - it's fast and free!
</div>




</div>
</form>



<div class="helpMsg">
<a href="http://www.menshealth.com/cda/article.do?site=MensHealth&channel=events.promotions&category=customer.service&conitem=926dc47c336eb110VgnVCM10000013281eac____" target="_new">Help!</a>
</div>

</div>
</div>



<!-- START Footer -->
<div id="copyright">
Copyright © 2009 Rodale Inc. "MensHealth.com" and "Men's Health" are registered trademarks of Rodale Inc. All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Rodale Inc.
</div>



</div>
</body>
</html>

Apache Coyote Version Disclosure

Apache Coyote Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing Apache Coyote version in the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can look for specific security vulnerabilities for the version identified in the SERVER header. The attacker can also use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /tomcat-docs/index.html

/tomcat-docs/index.html

https://member.rodale.com/tomcat-docs/index.html

Extracted Version

Apache-Coyote/1.1

Request

GET /tomcat-docs/index.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: member.rodale.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"13326-1187991292000"
Last-Modified: Fri, 24 Aug 2007 21:34:52 GMT
Content-Type: text/html
Content-Length: 13326
Date: Thu, 10 Mar 2011 22:27:42 GMT


<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>The Apache Tomcat 5.5 Servlet/JSP Container - Documentation Index</title><meta value="Craig R. McClanahan" name="author"><meta value="craigmcc@apache.org" name="email"><meta value="Remy Maucherat" name="author"><meta value="remm@apache.org" name="email"><meta value="Yoav Shapira" name="author"><meta value="yoavs@apache.org" name="email"></head><body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff"><table cellspacing="0" width="100%" border="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img border="0" alt="
The Apache Tomcat Servlet/JSP Container
" align="right" src="./images/tomcat.gif"></a></td><td><font face="arial,helvetica,sanserif"><h1>The Apache Tomcat 5.5 Servlet/JSP Container</h1></font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img border="0" alt="Apache Logo" align="right" src="./images/asf-logo.gif"></a></td></tr></table><table cellspacing="4" width="100%" border="0"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade="noshade"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td nowrap="true" valign="top" width="20%"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://tomcat.apache.org/faq">FAQ</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR</a></li><li><a href="virtual-hosting-howto.html">24) Virtual Hosting</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Apache Tomcat Configuration</a></li><li><a href="http://tomcat.apache.org/connectors-doc/">JK 1.2 Documentation</a></li><li><a href="servletapi/index.html">Servlet API Javadocs</a></li><li><a href="jspapi/index.html">JSP API Javadocs</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="status.html">Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="catalina/funcspecs/index.html">Functional Specs.</a></li><li><a href="catalina/docs/api/index.html">Apache Tomcat Javadocs</a></li><li><a href="jasper/docs/api/index.html">Apache Jasper Javadocs</a></li><li><a href="architecture/index.html">Architecture</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td align="left" valign="top" width="80%"><table cellspacing="4" width="100%" border="0"><tr><td valign="top" align="left"><h1>The Apache Tomcat 5.5 Servlet/JSP Container</h1><h2>Documentation Index</h2></td><td nowrap="true" valign="top" align="right"><small><a href="printer/index.html"><img alt="Printer Friendly Version" border="0" src="./images/printer.gif"><br>print-friendly<br>version
</a></small></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>

<p>This is the top-level entry point of the documentation bundle for the
<strong>Apache Tomcat</strong> Servlet/JSP container. Apache Tomcat version 5.5
implements the
Servlet 2.4 and JavaServer Pages 2.0 specifications from the
<a href="http://www.jcp.org">Java Community Process</a>, and includes many
additional features that make it a useful platform for developing and deploying
web applications and web services.</p>

<p>Select one of the links from the navigation menu (to the left) to drill
down to the more detailed documentation that is available. Each available
manual is described in more detail below.</p>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Apache Tomcat User Guide"><strong>Apache Tomcat User Guide</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents will assist you in downloading, installing
Apache Tomcat 5, and using many of the Apache Tomcat features.</p>

<ol>
<li><a href="introduction.html"><strong>Introduction</strong></a> - A
brief, high level, overview of Apache Tomcat.</li>
<li><a href="setup.html"><strong>Setup</strong></a> - How to install and run
Apache Tomcat on a variety of platforms.</li>
<li><a href="appdev/index.html"><strong>First web application</strong></a>
- An introduction to the concepts of a <em>web application</em> as defined
in the <a href="http://java.sun.com/products/servlet/download.html">Servlet
2.3 Specification</a>. Covers basic organization of your web application
source tree, the structure of a web application archive, and an
introduction to the web application deployment descriptor
(<code>/WEB-INF/web.xml</code>).</li>
<li><a href="deployer-howto.html"><strong>Deployer</strong></a> -
Operating the Apache Tomcat Deployer to deploy, precompile, and validate web
applications.</li>
<li><a href="manager-howto.html"><strong>Manager</strong></a> -
Operating the <code>Manager</code> web app to deploy, undeploy, and
redeploy applications while Apache Tomcat is running.</li>
<li><a href="realm-howto.html"><strong>Realms and Access Control</strong></a>
- Description of how to configure <em>Realms</em> (databases of users,
passwords, and their associated roles) for use in web applications that
utilize <em>Container Managed Security</em>.</li>
<li><a href="security-manager-howto.html"><strong>Security Manager</strong></a>
- Configuring and using a Java Security Manager to
support fine-grained control over the behavior of your web applications.
</li>
<li><a href="jndi-resources-howto.html"><strong>JNDI Resources</strong></a>
- Configuring standard and custom resources in the JNDI naming context
that is provided to each web application.</li>
<li><a href="jndi-datasource-examples-howto.html">
<strong>JDBC DataSource</strong></a>
- Configuring a JNDI DataSoure with a DB connection pool.
Examples for many popular databases.</li>
<li><a href="class-loader-howto.html"><strong>Classloading</strong></a>
- Information about class loading in Apache Tomcat 5, including where to place
your application classes so that they are visible.</li>
<li><a href="jasper-howto.html"><strong>JSPs</strong></a>
- Information about Jasper configuration, as well as the JSP compiler
usage.</li>
<li><a href="ssl-howto.html"><strong>SSL</strong></a> -
Installing and
configuring SSL support so that your Apache Tomcat will serve requests using
the <code>https</code> protocol.</li>
<li><a href="ssi-howto.html"><strong>SSI</strong></a> -
Using Server Side Includes in Apache Tomcat.</li>
<li><a href="cgi-howto.html"><strong>CGI</strong></a> -
Using CGIs with Apache Tomcat.</li>
<li><a href="proxy-howto.html"><strong>Proxy Support</strong></a> -
Configuring Apache Tomcat 5 to run behind a proxy server (or a web server
functioning as a proxy server).</li>
<li><a href="mbeans-descriptor-howto.html"><strong>MBean Descriptor</strong></a> -
Configuring MBean descriptors files for custom components.</li>
<li><a href="default-servlet.html"><strong>Default Servlet</strong></a> -
Configuring the default servlet and customizing directory listings.</li>
<li><a href="cluster-howto.html"><strong>Apache Tomcat Clustering</strong></a> -
Enable session replication in a Apache Tomcat environment.</li>
<li><a href="balancer-howto.html"><strong>Balancer</strong></a> -
Configuring, using, and extending the load balancer application.</li>
<li><a href="connectors.html"><strong>Connectors</strong></a> -
Connectors available in Apache Tomcat, and native web server integration.</li>
<li><a href="monitoring.html"><strong>Monitoring and Management</strong></a> -
Enabling JMX Remote support, and using tools to monitor and manage Apache Tomcat.</li>
<li><a href="logging.html"><strong>Logging</strong></a> -
Configuring logging in Apache Tomcat.</li>
<li><a href="apr.html"><strong>Apache Portable Runtime</strong></a> -
Using APR to provide superior performance, scalability and better
integration with native server technologies.</li>
<li><a href="virtual-hosting-howto.html"><strong>Virtual Hosting</strong></a> -
Configuring vitual hosting in Apache Tomcat.</li>
</ol>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Reference"><strong>Reference</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents are aimed at <em>System Administrators</em> who
are responsible for installing, configuring, and operating a Apache Tomcat 5 server.
</p>
<ul>
<li><a href="RELEASE-NOTES.txt"><strong>Release notes</strong></a>
- Known issues in this Apache Tomcat release.
</li>
<li><a href="config/index.html"><strong>Apache Tomcat Server Configuration Reference</strong></a>
- Reference manual that documents all available elements and attributes
that may be placed into a Apache Tomcat 5 <code>conf/server.xml</code> file.
</li>
<li><a href="http://tomcat.apache.org/connectors-doc/index.html"><strong>JK Documentation</strong></a>
- Complete documentation and HOWTOs on the JK native webserver connector,
used to interface Apache Tomcat with servers like Apache HTTPd, IIS
and others.</li>
<li><a href="servletapi/index.html"><strong>Servlet API Javadocs</strong></a> -
The Servlet 2.4 API Javadocs.</li>
<li><a href="jspapi/index.html"><strong>JSP API Javadocs</strong></a> -
The JSP 2.0 API Javadocs.</li>
</ul>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Apache Tomcat Developers"><strong>Apache Tomcat Developers</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents are for Java developers who wish to contribute to
the development of the <em>Apache Tomcat</em> project.</p>
<ul>
<li><a href="building.html"><strong>Building from Source</strong></a> -
Details the steps necessary to download Apache Tomcat 5 source code (and the
other packages that it depends on), and build a binary distribution from
those sources.
</li>
<li><a href="changelog.html"><strong>Changelog</strong></a> - Details the
changes made to Apache Tomcat.
</li>
<li><a href="status.html"><strong>Status</strong></a> - Apache Tomcat development
status.
</li>
<li><a href="developers.html"><strong>Developers</strong></a> - List of active
Apache Tomcat contributors.
</li>
<li><a href="catalina/funcspecs/index.html"><strong>Functional Specifications</strong></a>
- Requirements specifications for features of the <em>Catalina</em> servlet
container portion of Apache Tomcat 5.</li>
<li><a href="catalina/docs/api/index.html"><strong>Catalina Javadocs</strong></a>
- Javadoc API documentation for the <em>Catalina</em> servlet
container and its dependencies.</li>
<li><a href="jasper/docs/api/index.html"><strong>Jasper Javadocs</strong></a>
- Javadoc API documentation for the <em>Jasper</em> JSP container
portion of Apache Tomcat 5.</li>
<li><a href="architecture/index.html"><strong>Apache Tomcat Architecture</strong></a>
- Documentation of the Apache Tomcat Server Architecture.</li>

</ul>

</blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade="noshade"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font size="-1" color="#525D76"><em>
Copyright &copy; 1999-2006, Apache Software Foundation
</em></font></div></td></tr></table></body></html>
E-mail Address Disclosure

E-mail Address Disclosure

1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /tomcat-docs/index.html

/tomcat-docs/index.html

https://member.rodale.com/tomcat-docs/index.html

Found E-mails

  • craigmcc@apache.org
  • remm@apache.org
  • yoavs@apache.org

Request

GET /tomcat-docs/index.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: member.rodale.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"13326-1187991292000"
Last-Modified: Fri, 24 Aug 2007 21:34:52 GMT
Content-Type: text/html
Content-Length: 13326
Date: Thu, 10 Mar 2011 22:27:42 GMT


<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>The Apache Tomcat 5.5 Servlet/JSP Container - Documentation Index</title><meta value="Craig R. McClanahan" name="author"><meta value="craigmcc@apache.org" name="email"><meta value="Remy Maucherat" name="author"><meta value="remm@apache.org" name="email"><meta value="Yoav Shapira" name="author"><meta value="yoavs@apache.org" name="email"></head><body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff"><table cellspacing="0" width="100%" border="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img border="0" alt="
The Apache Tomcat Servlet/JSP Container
" align="right" src="./images/tomcat.gif"></a></td><td><font face="arial,helvetica,sanserif"><h1>The Apache Tomcat 5.5 Servlet/JSP Container</h1></font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img border="0" alt="Apache Logo" align="right" src="./images/asf-logo.gif"></a></td></tr></table><table cellspacing="4" width="100%" border="0"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade="noshade"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td nowrap="true" valign="top" width="20%"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://tomcat.apache.org/faq">FAQ</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR</a></li><li><a href="virtual-hosting-howto.html">24) Virtual Hosting</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Apache Tomcat Configuration</a></li><li><a href="http://tomcat.apache.org/connectors-doc/">JK 1.2 Documentation</a></li><li><a href="servletapi/index.html">Servlet API Javadocs</a></li><li><a href="jspapi/index.html">JSP API Javadocs</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="status.html">Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="catalina/funcspecs/index.html">Functional Specs.</a></li><li><a href="catalina/docs/api/index.html">Apache Tomcat Javadocs</a></li><li><a href="jasper/docs/api/index.html">Apache Jasper Javadocs</a></li><li><a href="architecture/index.html">Architecture</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td align="left" valign="top" width="80%"><table cellspacing="4" width="100%" border="0"><tr><td valign="top" align="left"><h1>The Apache Tomcat 5.5 Servlet/JSP Container</h1><h2>Documentation Index</h2></td><td nowrap="true" valign="top" align="right"><small><a href="printer/index.html"><img alt="Printer Friendly Version" border="0" src="./images/printer.gif"><br>print-friendly<br>version
</a></small></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>

<p>This is the top-level entry point of the documentation bundle for the
<strong>Apache Tomcat</strong> Servlet/JSP container. Apache Tomcat version 5.5
implements the
Servlet 2.4 and JavaServer Pages 2.0 specifications from the
<a href="http://www.jcp.org">Java Community Process</a>, and includes many
additional features that make it a useful platform for developing and deploying
web applications and web services.</p>

<p>Select one of the links from the navigation menu (to the left) to drill
down to the more detailed documentation that is available. Each available
manual is described in more detail below.</p>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Apache Tomcat User Guide"><strong>Apache Tomcat User Guide</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents will assist you in downloading, installing
Apache Tomcat 5, and using many of the Apache Tomcat features.</p>

<ol>
<li><a href="introduction.html"><strong>Introduction</strong></a> - A
brief, high level, overview of Apache Tomcat.</li>
<li><a href="setup.html"><strong>Setup</strong></a> - How to install and run
Apache Tomcat on a variety of platforms.</li>
<li><a href="appdev/index.html"><strong>First web application</strong></a>
- An introduction to the concepts of a <em>web application</em> as defined
in the <a href="http://java.sun.com/products/servlet/download.html">Servlet
2.3 Specification</a>. Covers basic organization of your web application
source tree, the structure of a web application archive, and an
introduction to the web application deployment descriptor
(<code>/WEB-INF/web.xml</code>).</li>
<li><a href="deployer-howto.html"><strong>Deployer</strong></a> -
Operating the Apache Tomcat Deployer to deploy, precompile, and validate web
applications.</li>
<li><a href="manager-howto.html"><strong>Manager</strong></a> -
Operating the <code>Manager</code> web app to deploy, undeploy, and
redeploy applications while Apache Tomcat is running.</li>
<li><a href="realm-howto.html"><strong>Realms and Access Control</strong></a>
- Description of how to configure <em>Realms</em> (databases of users,
passwords, and their associated roles) for use in web applications that
utilize <em>Container Managed Security</em>.</li>
<li><a href="security-manager-howto.html"><strong>Security Manager</strong></a>
- Configuring and using a Java Security Manager to
support fine-grained control over the behavior of your web applications.
</li>
<li><a href="jndi-resources-howto.html"><strong>JNDI Resources</strong></a>
- Configuring standard and custom resources in the JNDI naming context
that is provided to each web application.</li>
<li><a href="jndi-datasource-examples-howto.html">
<strong>JDBC DataSource</strong></a>
- Configuring a JNDI DataSoure with a DB connection pool.
Examples for many popular databases.</li>
<li><a href="class-loader-howto.html"><strong>Classloading</strong></a>
- Information about class loading in Apache Tomcat 5, including where to place
your application classes so that they are visible.</li>
<li><a href="jasper-howto.html"><strong>JSPs</strong></a>
- Information about Jasper configuration, as well as the JSP compiler
usage.</li>
<li><a href="ssl-howto.html"><strong>SSL</strong></a> -
Installing and
configuring SSL support so that your Apache Tomcat will serve requests using
the <code>https</code> protocol.</li>
<li><a href="ssi-howto.html"><strong>SSI</strong></a> -
Using Server Side Includes in Apache Tomcat.</li>
<li><a href="cgi-howto.html"><strong>CGI</strong></a> -
Using CGIs with Apache Tomcat.</li>
<li><a href="proxy-howto.html"><strong>Proxy Support</strong></a> -
Configuring Apache Tomcat 5 to run behind a proxy server (or a web server
functioning as a proxy server).</li>
<li><a href="mbeans-descriptor-howto.html"><strong>MBean Descriptor</strong></a> -
Configuring MBean descriptors files for custom components.</li>
<li><a href="default-servlet.html"><strong>Default Servlet</strong></a> -
Configuring the default servlet and customizing directory listings.</li>
<li><a href="cluster-howto.html"><strong>Apache Tomcat Clustering</strong></a> -
Enable session replication in a Apache Tomcat environment.</li>
<li><a href="balancer-howto.html"><strong>Balancer</strong></a> -
Configuring, using, and extending the load balancer application.</li>
<li><a href="connectors.html"><strong>Connectors</strong></a> -
Connectors available in Apache Tomcat, and native web server integration.</li>
<li><a href="monitoring.html"><strong>Monitoring and Management</strong></a> -
Enabling JMX Remote support, and using tools to monitor and manage Apache Tomcat.</li>
<li><a href="logging.html"><strong>Logging</strong></a> -
Configuring logging in Apache Tomcat.</li>
<li><a href="apr.html"><strong>Apache Portable Runtime</strong></a> -
Using APR to provide superior performance, scalability and better
integration with native server technologies.</li>
<li><a href="virtual-hosting-howto.html"><strong>Virtual Hosting</strong></a> -
Configuring vitual hosting in Apache Tomcat.</li>
</ol>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Reference"><strong>Reference</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents are aimed at <em>System Administrators</em> who
are responsible for installing, configuring, and operating a Apache Tomcat 5 server.
</p>
<ul>
<li><a href="RELEASE-NOTES.txt"><strong>Release notes</strong></a>
- Known issues in this Apache Tomcat release.
</li>
<li><a href="config/index.html"><strong>Apache Tomcat Server Configuration Reference</strong></a>
- Reference manual that documents all available elements and attributes
that may be placed into a Apache Tomcat 5 <code>conf/server.xml</code> file.
</li>
<li><a href="http://tomcat.apache.org/connectors-doc/index.html"><strong>JK Documentation</strong></a>
- Complete documentation and HOWTOs on the JK native webserver connector,
used to interface Apache Tomcat with servers like Apache HTTPd, IIS
and others.</li>
<li><a href="servletapi/index.html"><strong>Servlet API Javadocs</strong></a> -
The Servlet 2.4 API Javadocs.</li>
<li><a href="jspapi/index.html"><strong>JSP API Javadocs</strong></a> -
The JSP 2.0 API Javadocs.</li>
</ul>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Apache Tomcat Developers"><strong>Apache Tomcat Developers</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents are for Java developers who wish to contribute to
the development of the <em>Apache Tomcat</em> project.</p>
<ul>
<li><a href="building.html"><strong>Building from Source</strong></a> -
Details the steps necessary to download Apache Tomcat 5 source code (and the
other packages that it depends on), and build a binary distribution from
those sources.
</li>
<li><a href="changelog.html"><strong>Changelog</strong></a> - Details the
changes made to Apache Tomcat.
</li>
<li><a href="status.html"><strong>Status</strong></a> - Apache Tomcat development
status.
</li>
<li><a href="developers.html"><strong>Developers</strong></a> - List of active
Apache Tomcat contributors.
</li>
<li><a href="catalina/funcspecs/index.html"><strong>Functional Specifications</strong></a>
- Requirements specifications for features of the <em>Catalina</em> servlet
container portion of Apache Tomcat 5.</li>
<li><a href="catalina/docs/api/index.html"><strong>Catalina Javadocs</strong></a>
- Javadoc API documentation for the <em>Catalina</em> servlet
container and its dependencies.</li>
<li><a href="jasper/docs/api/index.html"><strong>Jasper Javadocs</strong></a>
- Javadoc API documentation for the <em>Jasper</em> JSP container
portion of Apache Tomcat 5.</li>
<li><a href="architecture/index.html"><strong>Apache Tomcat Architecture</strong></a>
- Documentation of the Apache Tomcat Server Architecture.</li>

</ul>

</blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade="noshade"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font size="-1" color="#525D76"><em>
Copyright &copy; 1999-2006, Apache Software Foundation
</em></font></div></td></tr></table></body></html>
Default Tomcat Page Identified

Default Tomcat Page Identified

1 TOTAL
INFORMATION
Netsparker idenfitied a default Tomcat page. This issue is reported for information only. If there is any other vulnerability identified regarding this resource Netsparker will report it as a separate issue.
- /tomcat-docs/index.html

/tomcat-docs/index.html

https://member.rodale.com/tomcat-docs/index.html

Request

GET /tomcat-docs/index.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: member.rodale.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"13326-1187991292000"
Last-Modified: Fri, 24 Aug 2007 21:34:52 GMT
Content-Type: text/html
Content-Length: 13326
Date: Thu, 10 Mar 2011 22:27:42 GMT


<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>The Apache Tomcat 5.5 Servlet/JSP Container - Documentation Index</title><meta value="Craig R. McClanahan" name="author"><meta value="craigmcc@apache.org" name="email"><meta value="Remy Maucherat" name="author"><meta value="remm@apache.org" name="email"><meta value="Yoav Shapira" name="author"><meta value="yoavs@apache.org" name="email"></head><body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff"><table cellspacing="0" width="100%" border="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img border="0" alt="
The Apache Tomcat Servlet/JSP Container
" align="right" src="./images/tomcat.gif"></a></td><td><font face="arial,helvetica,sanserif"><h1>The Apache Tomcat 5.5 Servlet/JSP Container</h1></font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img border="0" alt="Apache Logo" align="right" src="./images/asf-logo.gif"></a></td></tr></table><table cellspacing="4" width="100%" border="0"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade="noshade"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td nowrap="true" valign="top" width="20%"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://tomcat.apache.org/faq">FAQ</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR</a></li><li><a href="virtual-hosting-howto.html">24) Virtual Hosting</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Apache Tomcat Configuration</a></li><li><a href="http://tomcat.apache.org/connectors-doc/">JK 1.2 Documentation</a></li><li><a href="servletapi/index.html">Servlet API Javadocs</a></li><li><a href="jspapi/index.html">JSP API Javadocs</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="status.html">Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="catalina/funcspecs/index.html">Functional Specs.</a></li><li><a href="catalina/docs/api/index.html">Apache Tomcat Javadocs</a></li><li><a href="jasper/docs/api/index.html">Apache Jasper Javadocs</a></li><li><a href="architecture/index.html">Architecture</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td align="left" valign="top" width="80%"><table cellspacing="4" width="100%" border="0"><tr><td valign="top" align="left"><h1>The Apache Tomcat 5.5 Servlet/JSP Container</h1><h2>Documentation Index</h2></td><td nowrap="true" valign="top" align="right"><small><a href="printer/index.html"><img alt="Printer Friendly Version" border="0" src="./images/printer.gif"><br>print-friendly<br>version
</a></small></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>

<p>This is the top-level entry point of the documentation bundle for the
<strong>Apache Tomcat</strong> Servlet/JSP container. Apache Tomcat version 5.5
implements the
Servlet 2.4 and JavaServer Pages 2.0 specifications from the
<a href="http://www.jcp.org">Java Community Process</a>, and includes many
additional features that make it a useful platform for developing and deploying
web applications and web services.</p>

<p>Select one of the links from the navigation menu (to the left) to drill
down to the more detailed documentation that is available. Each available
manual is described in more detail below.</p>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Apache Tomcat User Guide"><strong>Apache Tomcat User Guide</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents will assist you in downloading, installing
Apache Tomcat 5, and using many of the Apache Tomcat features.</p>

<ol>
<li><a href="introduction.html"><strong>Introduction</strong></a> - A
brief, high level, overview of Apache Tomcat.</li>
<li><a href="setup.html"><strong>Setup</strong></a> - How to install and run
Apache Tomcat on a variety of platforms.</li>
<li><a href="appdev/index.html"><strong>First web application</strong></a>
- An introduction to the concepts of a <em>web application</em> as defined
in the <a href="http://java.sun.com/products/servlet/download.html">Servlet
2.3 Specification</a>. Covers basic organization of your web application
source tree, the structure of a web application archive, and an
introduction to the web application deployment descriptor
(<code>/WEB-INF/web.xml</code>).</li>
<li><a href="deployer-howto.html"><strong>Deployer</strong></a> -
Operating the Apache Tomcat Deployer to deploy, precompile, and validate web
applications.</li>
<li><a href="manager-howto.html"><strong>Manager</strong></a> -
Operating the <code>Manager</code> web app to deploy, undeploy, and
redeploy applications while Apache Tomcat is running.</li>
<li><a href="realm-howto.html"><strong>Realms and Access Control</strong></a>
- Description of how to configure <em>Realms</em> (databases of users,
passwords, and their associated roles) for use in web applications that
utilize <em>Container Managed Security</em>.</li>
<li><a href="security-manager-howto.html"><strong>Security Manager</strong></a>
- Configuring and using a Java Security Manager to
support fine-grained control over the behavior of your web applications.
</li>
<li><a href="jndi-resources-howto.html"><strong>JNDI Resources</strong></a>
- Configuring standard and custom resources in the JNDI naming context
that is provided to each web application.</li>
<li><a href="jndi-datasource-examples-howto.html">
<strong>JDBC DataSource</strong></a>
- Configuring a JNDI DataSoure with a DB connection pool.
Examples for many popular databases.</li>
<li><a href="class-loader-howto.html"><strong>Classloading</strong></a>
- Information about class loading in Apache Tomcat 5, including where to place
your application classes so that they are visible.</li>
<li><a href="jasper-howto.html"><strong>JSPs</strong></a>
- Information about Jasper configuration, as well as the JSP compiler
usage.</li>
<li><a href="ssl-howto.html"><strong>SSL</strong></a> -
Installing and
configuring SSL support so that your Apache Tomcat will serve requests using
the <code>https</code> protocol.</li>
<li><a href="ssi-howto.html"><strong>SSI</strong></a> -
Using Server Side Includes in Apache Tomcat.</li>
<li><a href="cgi-howto.html"><strong>CGI</strong></a> -
Using CGIs with Apache Tomcat.</li>
<li><a href="proxy-howto.html"><strong>Proxy Support</strong></a> -
Configuring Apache Tomcat 5 to run behind a proxy server (or a web server
functioning as a proxy server).</li>
<li><a href="mbeans-descriptor-howto.html"><strong>MBean Descriptor</strong></a> -
Configuring MBean descriptors files for custom components.</li>
<li><a href="default-servlet.html"><strong>Default Servlet</strong></a> -
Configuring the default servlet and customizing directory listings.</li>
<li><a href="cluster-howto.html"><strong>Apache Tomcat Clustering</strong></a> -
Enable session replication in a Apache Tomcat environment.</li>
<li><a href="balancer-howto.html"><strong>Balancer</strong></a> -
Configuring, using, and extending the load balancer application.</li>
<li><a href="connectors.html"><strong>Connectors</strong></a> -
Connectors available in Apache Tomcat, and native web server integration.</li>
<li><a href="monitoring.html"><strong>Monitoring and Management</strong></a> -
Enabling JMX Remote support, and using tools to monitor and manage Apache Tomcat.</li>
<li><a href="logging.html"><strong>Logging</strong></a> -
Configuring logging in Apache Tomcat.</li>
<li><a href="apr.html"><strong>Apache Portable Runtime</strong></a> -
Using APR to provide superior performance, scalability and better
integration with native server technologies.</li>
<li><a href="virtual-hosting-howto.html"><strong>Virtual Hosting</strong></a> -
Configuring vitual hosting in Apache Tomcat.</li>
</ol>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Reference"><strong>Reference</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents are aimed at <em>System Administrators</em> who
are responsible for installing, configuring, and operating a Apache Tomcat 5 server.
</p>
<ul>
<li><a href="RELEASE-NOTES.txt"><strong>Release notes</strong></a>
- Known issues in this Apache Tomcat release.
</li>
<li><a href="config/index.html"><strong>Apache Tomcat Server Configuration Reference</strong></a>
- Reference manual that documents all available elements and attributes
that may be placed into a Apache Tomcat 5 <code>conf/server.xml</code> file.
</li>
<li><a href="http://tomcat.apache.org/connectors-doc/index.html"><strong>JK Documentation</strong></a>
- Complete documentation and HOWTOs on the JK native webserver connector,
used to interface Apache Tomcat with servers like Apache HTTPd, IIS
and others.</li>
<li><a href="servletapi/index.html"><strong>Servlet API Javadocs</strong></a> -
The Servlet 2.4 API Javadocs.</li>
<li><a href="jspapi/index.html"><strong>JSP API Javadocs</strong></a> -
The JSP 2.0 API Javadocs.</li>
</ul>

</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Apache Tomcat Developers"><strong>Apache Tomcat Developers</strong></a></font></td></tr><tr><td><blockquote>

<p>The following documents are for Java developers who wish to contribute to
the development of the <em>Apache Tomcat</em> project.</p>
<ul>
<li><a href="building.html"><strong>Building from Source</strong></a> -
Details the steps necessary to download Apache Tomcat 5 source code (and the
other packages that it depends on), and build a binary distribution from
those sources.
</li>
<li><a href="changelog.html"><strong>Changelog</strong></a> - Details the
changes made to Apache Tomcat.
</li>
<li><a href="status.html"><strong>Status</strong></a> - Apache Tomcat development
status.
</li>
<li><a href="developers.html"><strong>Developers</strong></a> - List of active
Apache Tomcat contributors.
</li>
<li><a href="catalina/funcspecs/index.html"><strong>Functional Specifications</strong></a>
- Requirements specifications for features of the <em>Catalina</em> servlet
container portion of Apache Tomcat 5.</li>
<li><a href="catalina/docs/api/index.html"><strong>Catalina Javadocs</strong></a>
- Javadoc API documentation for the <em>Catalina</em> servlet
container and its dependencies.</li>
<li><a href="jasper/docs/api/index.html"><strong>Jasper Javadocs</strong></a>
- Javadoc API documentation for the <em>Jasper</em> JSP container
portion of Apache Tomcat 5.</li>
<li><a href="architecture/index.html"><strong>Apache Tomcat Architecture</strong></a>
- Documentation of the Apache Tomcat Server Architecture.</li>

</ul>

</blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade="noshade"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font size="-1" color="#525D76"><em>
Copyright &copy; 1999-2006, Apache Software Foundation
</em></font></div></td></tr></table></body></html>