Would the following be vulnerable? 1) Use Jk only 2) do NOT use --> JkMount /servlet/* loadbalancer 3) But the invoker mapping is enabled
Would they be vulnerable? I personally don't see a security flaw in this config. But does Jk also look for the text "jsessionid" being passed in the URL and automagically pass it along to tomcat? AFAIK - I thought a Rewrite rule needed to be added to have that behavior. Remy Maucherat wrote: > A security vulnerability has been confirmed to exist in all Apache > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which > allows to use a specially crafted URL to return the unprocessed source > of a JSP page, or, under special circumstances, a static resource which > would otherwise have been protected by security constraint, without the > need for being properly authenticated. > > The cause > --------- > > Using the invoker servlet in conjunction with the default servlet > (responsible for handling static content in Tomcat) triggers this > vulnerability. This particular configuration is available in the default > Tomcat configuration. > > Workarounds > ----------- > > An easy workaround exists for existing Tomcat installations, by > disabling the invoker servlet in the default webapp configuration. > > In the $CATALINA_HOME/conf/web.xml file (on Windows, > %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML > fragment: > > <servlet-mapping> > <servlet-name>invoker</servlet-name> > <url-pattern>/servlet/*</url-pattern> > </servlet-mapping> > > Releases > -------- > > The Apache Tomcat Team announces the immediate availability of new > releases which include a fix to the invoker servlet. > > Apache Tomcat 4.1.12 Stable: > http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/ > > Apache Tomcat 4.0.5: > http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/ > > Remy > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>