GLSA: tomcat

2002-10-15 Thread Daniel Ahlberg 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - 
GENTOO LINUX SECURITY ANNOUNCEMENT 200210-001
- - 

PACKAGE : tomcat
SUMMARY : source disclosure
EXPLOIT : remote
DATE    : 2002-10-15 08:15 UTC

- - 

A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.

Read the full disclosure at
http://marc.theaimsgroup.com/?l=tomcat-devm=103417249325526w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-www/tomcat-4.0.5 and earlier update their systems
as follows:

emerge rsync
emerge tomcat
emerge clean

- - 
[EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz
- - 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9q85zfT7nyhUpoZMRAripAKC2pwD2g82Np0cal/0afanM4mfVCgCfbx9o
dNLvNJOnmcq3QcvT/S4D3wQ=
=6MID
-END PGP SIGNATURE-

GLSA: tomcat

2002-09-25 Thread Daniel Ahlberg 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - 
GENTOO LINUX SECURITY ANNOUNCEMENT
- - 

PACKAGE:tomcat
SUMMARY:source exposure
DATE   :2002-09-25 11:30 UTC

- - 

OVERVIEW

Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are 
vulnerable to
source code exposure by using the default servlet 
org.apache.catalina.servlets.DefaultServlet.

DETAIL

Let say you have valid URL like http://my.site/login.jsp, then an URL like
http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
will give you the source code of  the JSP page.

The full syntaxes of the exposure URL is:

http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
/[context_relative_path/]file_name.jsp

More information can be found at:

http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-www/tomcat-4.04 and earlier update their systems
as follows:

emerge rsync
emerge tomcat
emerge clean

- - 
[EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz
- - 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9kaeOfT7nyhUpoZMRAjecAJwLLkCyj/iVWlRFN+1RrzR4oo9dlQCgi1PV
DTRyRrBXhKFbP7+ScPIx2A8=
=S0kw
-END PGP SIGNATURE-