Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
on 2002/9/25 6:27 AM, Costin Manolache [EMAIL PROTECTED] wrote: Well, this is not a very good policy IMO. Self-contained applications are a good thing ( IMO ). Then store your templates in the WEB-INF directory. That is what we do with Scarab, which is 100% self contained. And of course, JSPs don't have to be stored in the webroot either - and in general shouldn't be there except for development. It's better (IMO) to just precompile and include only the generated servlets - at least for a category of webapps. Correct, but what is *encouraged* by default is to store them in the webroot. Maybe you guys should fix that. jakarta-tomcat-4.0.5/webapps/examples/jsp -jon -- StudioZ.tv /\ Bar/Nightclub/Entertainment 314 11th Street @ Folsom /\ San Francisco http://studioz.tv/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
With power comes responsibility. % System.exit(1) % -bob P.S. Yea, I know the SecurityManager can catch this, if enabled. On Wed, 2002-09-25 at 21:22, Bojan Smojver wrote: Quoting Costin Manolache [EMAIL PROTECTED]: And Velocity does have a mailing list where all this can be discussed. This is tomcat-dev - for servlet and jsp development. If you have any ideas on how to improve jasper - great, but please don't waste our time with off topic subjects. Comments and sugestions on JSP spec can be addressed to the feedback address from Sun, we just implement it. ( and BTW, nobody forces you to use any java inside the JSP if you don't want to, or any of the features that are specific to jsps. ) All right then, let's talk about JSP's. If I host my clients' JSP's on my server and a web designer puts this in (BTW, he wasn't forced, he simply decided he wanted to do it): --- Hashtable strings = new Hashtable(); int i=0; while (true) { strings.put (dead+i, new StringBuffer(99)); } --- What would happen to my Tomcat? I think this is called OutOfMemoryError and it would affect every single web application running in that instance of Tomcat, possibly owned by some other clients of mine. Completely unacceptable... Web applications are collection programs and other stuff, for instance web pages. However, web pages should not be programs because they are (usually) maintained by non-programmers. The fact that you know what you're doing doesn't exuse the shortcomings of the technology. Bojan - This mail sent through IMP: http://horde.org/imp/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Bob Herrmann [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. Once again...JSP sucks and Velocity is the right way to go...you will never have to worry about your container spilling your beans (pun intended). Given that Tomcat gets around 100k+ downloads/week...imagine how many servers now need to be updated and how much money and time that will cost to do so? http://jakarta.apache.org/velocity/ Wake up people. Velocity is faster and more secure than JSP will ever be. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
on 2002/9/24 5:15 PM, Steve Downey [EMAIL PROTECTED] wrote: http://localhost:8080/velexample/servlet/org.apache.catalina.servlets.DefaultS ervlet/sample.vm Unlike JSP, we don't store (or encourage people to store) .vm files in the webroot. They can be anywhere on the fileystem and with custom resource loaders could even be stored in a database on another machine somewhere. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]