A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.
The cause
---------
Using the invoker servlet in conjunction with the default servlet
(responsible for handling static content in Tomcat) triggers this
vulnerability.
Who is vulnerable
-----------------
- All Tomcat 4.0.x releases, except those in which the invoker servlet
is disabled (this is not the default setting).
- All Tomcat 4.1.x releases before 4.1.12, except those in which the
invoker servlet is disabled (this is not the default setting), as
well as 4.1.12 if and only if the invoker servlet has been enabled.
The default Tomcat 4.1.12 installation is not vulnerable.
Fixes and workarounds
---------------------
Doing either of the following will resolve the security problem:
A) Disabling the invoker servlet
In the $CATALINA_HOME/conf/web.xml file (on Windows,
%CATALINA_HOME%\conf\web.xml), comment out or remove the following
XML fragment:
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
B) If running any Tomcat 4.0.x releases, download and install the
following binary patch:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip
Simply unzip the archive in the $CATALINA_HOME folder (on Windows
%CATALINA_HOME%). Make sure paths are preserved when unzipping. The
patch will overwrite the default webapp configuration file
($CATALINA_HOME/conf/web.xml) to add a workaround to protect
against the security vulnerability.
C) If running Tomcat 4.1.12 and the invoker servlet was enabled, it must
be disabled at this time. A new Tomcat 4.1.x release incorporating
the fix to the invoker servlet will be made available shortly.
D) If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6.
New release
-----------
The Apache Tomcat Team announces the immediate availability of
a new release which includes a fix to the invoker servlet.
Apache Tomcat 4.0.6:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/
Remy
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
