on 2002/9/24 4:59 AM, "Remy Maucherat" <[EMAIL PROTECTED]> wrote:
> A security vulnerability has been confirmed to exist in all Apache
> Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
> allows to use a specially crafted URL to return the unprocessed source
> of a JSP page, or, under special circumstances, a static resource which
> would otherwise have been protected by security constraint, without the
> need for being properly authenticated.
Once again...JSP sucks and Velocity is the right way to go...you will never
have to worry about your container spilling your beans (pun intended).
Given that Tomcat gets around 100k+ downloads/week...imagine how many
servers now need to be updated and how much money and time that will cost to
do so?
http://jakarta.apache.org/velocity/
Wake up people. Velocity is faster and more secure than JSP will ever be.
-jon
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
