|The default catalina.policy in the JULI logging component in Apache
Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict
certain permissions for web applications, which allows attackers to
modify logging configuration options and overwrite arbitrary files, as
demonstrated by changing the (1) level, (2) directory, and (3) prefix
attributes in the org.apache.juli.FileHandler handler.