FYI, (fonte theserverside.com - http://www2.theserverside.com/home/thread.jsp?thread_id=15763&article_count= 6 )
Posted By: Neven Cvetkovic on September 27, 2002 @ 09:41 AM Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to a security bug that allows browsers to see JSP source code when putting the name of the default servlet in the URL. org.apache.catalina.servlets.DefaultServlet. Let say you have valid URL like: http://my.site/login.jsp Then, if you use the following URL: http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp You will see the source code of the JSP page. The full syntaxes of the exposure URL is: http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet /[context_relative_path/]file_name.jsp For example to see the JSP source of Tomcat 4.1.10 admin application http://localhost:8080/admin/index.jsp execute http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServ let/index.jsp Solution: Upgrade to the last releases 4.0.5 and 4.1.12 See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases. More details at: <http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0>. Luiz Paulo --------------------------------------------------------------------- Para cancelar a subscri��o, envie mensagem para: [EMAIL PROTECTED] Para comandos adicionais, envie mensagem para: [EMAIL PROTECTED]
