The DefaultServlet is ok. But is was being called by the invoker
servlet in a roundabout (unintended manner). The invoker servlet is
typically mapped to /servlet/*
The invoker servlet should be disabled. Or restricted using many of
the ways described in other threads.
You should be fine
24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
there.)
So it sounds pretty much like
that it will be resistant
to this exposure.
Regards,
Rossen Raykov
-Original Message-
From: Kent Perrier [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue
]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 5:26 PM
To: tomcat-dev; Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL to return the unprocessed source
of a JSP page, or,
Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
I'm having a hard time finding many specifics about this exploit. It
sounds like you're forcing the default servlet to serve up the source
page as static content. Why isn't Velocity vulnerable in the
same way?
I'll
/ Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863
-Original Message-
From: Rossen Raykov [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:17 PM
To: 'Tomcat Users List'
Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
See
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
there.)
So it sounds pretty much like what I thought it was. I still don't
understand why Velocity wouldn't be vulnerable to this exploit.
It sounds to me like it