A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected
Bojan Smojver wrote:
Quoting Bill Barker [EMAIL PROTECTED]:
I'm agreeing with Costin. Please move this discussion to
[EMAIL PROTECTED] It is off-topic here.
Promise not to write a single byte on this topic on Tomcat-Dev list after
this e-mail.
Please don't missunderstand this - I
:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 10:34 PM
To: Tomcat Developers List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosure vulnerability
Not if:
runtime.interpolate.string.literals = false
Bojan
Quoting Tim Funk [EMAIL PROTECTED]:
That's what
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosure vulnerability
On Wed, 2002-09-25 at 07:31, Matt Fury wrote:
What's easier though? Upgrading a Tomcat server with a
patch or re-architecting your whole site to accomodate
for Velocity??
Short term, upgrading Tomcat. Long term
Yes I agree that some sort of JSP Tagging can be
beneficial but at times it is overkill. I think the
ultimate solution would be a combination of both.
--- Bojan Smojver [EMAIL PROTECTED] wrote:
On Wed, 2002-09-25 at 07:31, Matt Fury wrote:
What's easier though? Upgrading a Tomcat server
Jon Scott Stevens wrote:
Unlike JSP, we don't store (or encourage people to store) .vm files in the
webroot. They can be anywhere on the fileystem and with custom resource
loaders could even be stored in a database on another machine somewhere.
Well, this is not a very good policy IMO.
On Wed, 2002-09-25 at 20:59, John Trollinger wrote:
Don't buy all the velocity hype.. It is not as great as they make it out
to be.
What hype? I don't follow here...
Velocity is just a template language, plain, simple and relatively
small. It's greatness comes from the fact that you cannot
Bojan Smojver wrote:
On Wed, 2002-09-25 at 20:59, John Trollinger wrote:
Don't buy all the velocity hype.. It is not as great as they make it out
to be.
What hype? I don't follow here...
Velocity is just a template language, plain, simple and relatively
small. It's greatness comes
Quoting Costin Manolache [EMAIL PROTECTED]:
And Velocity does have a mailing list where all this can be discussed.
This is tomcat-dev - for servlet and jsp development.
If you have any ideas on how to improve jasper - great, but please don't
waste our time with off topic subjects.
That's what code reviews are for and in absence of that - firing your
developers.
Wouldn't I also get an out of memory with this in Velocity?
#set($oom = )
#foreach( $i in [-2147483648..2147483648] )
#set($oom =
Not if:
runtime.interpolate.string.literals = false
Bojan
Quoting Tim Funk [EMAIL PROTECTED]:
That's what code reviews are for and in absence of that - firing your
developers.
Wouldn't I also get an out of memory with this in Velocity?
#set($oom =
Bojan Smojver wrote:
All right then, let's talk about JSP's. If I host my clients' JSP's on my
server and a web designer puts this in (BTW, he wasn't forced, he simply
decided he wanted to do it):
And your proposed solution is ... ?
Do you have a patch to solve this problem ? If so, send
I'm agreeing with Costin. Please move this discussion to
[EMAIL PROTECTED] It is off-topic here.
- Original Message -
From: Bojan Smojver [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Wednesday, September 25, 2002 7:33 PM
Subject: Re: [SECURITY] Apache Tomcat 4.x
Quoting Costin Manolache [EMAIL PROTECTED]:
Bojan Smojver wrote:
All right then, let's talk about JSP's. If I host my clients' JSP's on my
server and a web designer puts this in (BTW, he wasn't forced, he simply
decided he wanted to do it):
And your proposed solution is ... ?
Don't
Quoting Bill Barker [EMAIL PROTECTED]:
I'm agreeing with Costin. Please move this discussion to
[EMAIL PROTECTED] It is off-topic here.
Promise not to write a single byte on this topic on Tomcat-Dev list after this
e-mail.
Bojan
-
This mail
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL to return the unprocessed source
of a JSP page, or, under special circumstances, a static resource which
would
Would the following be vulnerable?
1) Use Jk only
2) do NOT use -- JkMount /servlet/* loadbalancer
3) But the invoker mapping is enabled
Would they be vulnerable? I personally don't see a security flaw in this
config. But does Jk also look for the text jsessionid being passed in
the URL and
Developers List; Tomcat Users List; announcements
Subject: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL
Tim Funk wrote:
Would the following be vulnerable?
1) Use Jk only
2) do NOT use -- JkMount /servlet/* loadbalancer
3) But the invoker mapping is enabled
Would they be vulnerable? I personally don't see a security flaw in this
config. But does Jk also look for the text jsessionid being
Remy Maucherat wrote:
Tim Funk wrote:
Would the following be vulnerable?
1) Use Jk only
2) do NOT use -- JkMount /servlet/* loadbalancer
3) But the invoker mapping is enabled
Would they be vulnerable? I personally don't see a security flaw in
this config. But does Jk also look for the
Marx, Mitchell E (Mitch), ALCNS wrote:
Evil question: does this vulnerability exist in Tomcat 3.2.3?
No. At worst it would be vulnerable to a distant cousin of the exploit.
Remy
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
This may be true (though I have never tested it).
What's easier though? Upgrading a Tomcat server with a
patch or re-architecting your whole site to accomodate
for Velocity??
;-)
-Matt
--- Jon Scott Stevens [EMAIL PROTECTED] wrote:
on 2002/9/24 4:59 AM, Remy Maucherat
[EMAIL PROTECTED]
This list is for discussing Tomcat development, not velocity, web macro, et. al.
The evangelizing for velocity is off topic in this list.
JSP is part of Tomcat, live with it and move on.
There are plenty of other forums for discussing the merits of one
web templating technology vs another.
On Tuesday 24 September 2002 05:26 pm, Jon Scott Stevens wrote:
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially
Quoting Glenn Nielsen [EMAIL PROTECTED]:
This list is for discussing Tomcat development, not velocity, web macro, et.
al.
The evangelizing for velocity is off topic in this list.
JSP is part of Tomcat, live with it and move on.
There are plenty of other forums for discussing the
Quoting Steve Downey [EMAIL PROTECTED]:
Perhaps you would prefer this exploit?
http://localhost:8080/velexample/servlet/org.apache.catalina.servlets.DefaultServlet/sample.vm
Horrors! Velocity is insecure!
The DefaultServlet exploit is a general security problem in Tomcat. JSP may
be
26 matches
Mail list logo
