On Thu, 26 Sep 2002, Andreas Mohrig wrote:
The servlet to be disabled is the invoker servlet, not the
DefaultServlet. The reason you see DefaultServlet so much in
these postings is that the DefaultServlet can be tricked into
serving the sources of your jsp's by invoking it over the invoker
servlet, thereby treating jsp's like static content. But the trouble
is originating in the invoker servlet.
Right. And to add a bit of perhaps clarifying information, invoking
in this context means calling a servlet using a URL of the form:
http://www.domain.com/context/servlet/full.class.name.of.servlet
that is, /servlet is a virtual directory that invokes the invoker
servlet, and full.class.name.of.servlet includes the package and
class name of the servlet class. This was the main/only way of
calling servlets way back when, but now the favored way is to define
servlets in web.xml. And some say this invoking method of calling
servlets should be disabled as a security precaution anyway, and only
defined servlets should be allowed (i.e., even before this bug showed
up).
This is all controlled by a servlet definition and mapping in the
web.xml (in Tomcat 4.0.X, at least, and I assume 4.1.X as well) --
look for invoker in it.
-Original Message-
From: Adam Greene [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 2:47 PM
To: Tomcat Users List
Subject: Questions about [SECURITY] Apache Tomcat 4.x JSP source
disclosure vulnerability
Maybe I don't understand, but DefaultServlet, which is supposed to
serve static content is disabled... How are we supposed to serve up
pictures, etc that are static??
Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]