A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL to return the unprocessed source
of a JSP page, or, under special circumstances, a static resource which
would otherwise have been protected by security constraint, without the
need for being properly authenticated.
The cause
---------
Using the invoker servlet in conjunction with the default servlet
(responsible for handling static content in Tomcat) triggers this
vulnerability. This particular configuration is available in the default
Tomcat configuration.
Workarounds
-----------
An easy workaround exists for existing Tomcat installations, by
disabling the invoker servlet in the default webapp configuration.
In the $CATALINA_HOME/conf/web.xml file (on Windows,
%CATALINA_HOME%\conf\web.xml), comment out or remove the following XML
fragment:
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
Releases
--------
The Apache Tomcat Team announces the immediate availability of new
releases which include a fix to the invoker servlet.
Apache Tomcat 4.1.12 Stable:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/
Apache Tomcat 4.0.5:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/
Remy
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
