RE: JSP source code exposure in Tomcat 4.x

[Martin Robson]

No your best bet is to comment out the following line (and no it won't
be all on one line) from your web.xml file then schedule to upgrade to
Tomcat 4.1.12 Stable or Tomcat 4.0.5.

 invoker
/servlet/*  

The Jakarta Team has already posted a response to this bug, it can be
viewed here: http://jakarta.apache.org/site/news.html

--
Martin Robson
Radial Software Development Inc.
Direct - (604) 868-1503
Main - (604) 692-5971
[EMAIL PROTECTED]
 
http://www.radialsoftware.com
 


-Original Message-
From: Marcin Jackowski [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 24, 2002 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: JSP source code exposure in Tomcat 4.x


[...]
> 
>   3.2 Workaround:
[...]

Quicker (brute) method - remove completely
$TOMCAT_HOME/server/lib/servlets-default.jar.
The server complains but applications seem to work correctly (unless
you're using it).

Stated for Tomcat version 4.0.1, 4.0.4 and 4.1.10.

Marcin Jackowski

Re: JSP source code exposure in Tomcat 4.x

[Marcin Jackowski]

[...]
> 
>   3.2 Workaround:
[...]

Quicker (brute) method - remove completely
$TOMCAT_HOME/server/lib/servlets-default.jar.
The server complains but applications seem to work correctly
(unless you're using it).

Stated for Tomcat version 4.0.1, 4.0.4 and 4.1.10.

Marcin Jackowski

Re: JSP source code exposure in Tomcat 4.x

[DominusQ]

On Tue, 24 Sep 2002 10:12:44 -0400
Rossen Raykov <[EMAIL PROTECTED]> wrote:
>   Tomcat 4.x JSP source exposure security advisory
> 
> 1. Summary
> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
> vulnerable to source code exposure by using the default servlet
> org.apache.catalina.servlets.DefaultServlet.

3.2.x versions doesn't seem to be vulnerable to this, but indeed the
4.1.x versions are.


-- 
Information is bliss! give it a try!