A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was disclosed on 09/24/2002.
The cause --------- Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. Who is vulnerable ----------------- - All Tomcat 4.0.x releases, except those in which the invoker servlet is disabled (this is not the default setting). - All Tomcat 4.1.x releases before 4.1.12, except those in which the invoker servlet is disabled (this is not the default setting), as well as 4.1.12 if and only if the invoker servlet has been enabled. The default Tomcat 4.1.12 installation is not vulnerable. Fixes and workarounds --------------------- Doing either of the following will resolve the security problem: A) Disabling the invoker servlet In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment: <servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping> B) If running any Tomcat 4.0.x releases, download and install the following binary patch: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip Simply unzip the archive in the $CATALINA_HOME folder (on Windows %CATALINA_HOME%). Make sure paths are preserved when unzipping. The patch will overwrite the default webapp configuration file ($CATALINA_HOME/conf/web.xml) to add a workaround to protect against the security vulnerability. C) If running Tomcat 4.1.12 and the invoker servlet was enabled, it must be disabled at this time. A new Tomcat 4.1.x release incorporating the fix to the invoker servlet will be made available shortly. D) If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6. New release ----------- The Apache Tomcat Team announces the immediate availability of a new release which includes a fix to the invoker servlet. Apache Tomcat 4.0.6: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/ Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>