RE: Should not be this hard(why is this a security risk)
That is what I needed ... Thanks all To follow this up, why is this a security risk? Do they want specific mapping for each servlet? Thanks -Original Message- From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 9:54 AM To: 'Tomcat Users List' Subject: RE: Should not be this hard From the release notes Enabling invoker servlet: Starting with Tomcat 4.1.12, the invoker servlet is no longer available by default in all webapp. Enabling it for all webapps is possible by editing $CATALINA_HOME/conf/web.xml to uncomment the /servlet/* servlet-mapping definition. Using the invoker servlet in a production environment is not recommended and is unsupported. -Original Message- From: Randy Paries [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 8:51 AM To: 'Tomcat Users List' Subject: Should not be this hard Hello, me again This should have been so easy (famous last words) I am upgrading from tomcat jakarta-tomcat-4.0.4 to jakarta-tomcat-4.1.17 4.0.4 was working fine. For some reason I can not find my servlets ARG! In my web.xml I have a load-on-startup/ and in the log file , the servlet Starts ok But if I goto http://bart.mydomain.com:8080/servlet/uServlet I get a 404... Here is some details. I have to be missing something very simple. My static html and jsps work ok when I goto http://bart.mydomain.com:8080/index.html http://bart.mydomain.com:8080/jsp/dirgloblogin.jsp But if I goto http://bart.mydomain.com:8080/servlet/uServlet I get a 404 from the log file I get : 2002-12-19 09:42:13 StandardContext[]: Mapping contextPath='' with requestURI='/servlet/uServlet' and relativeURI='/servlet/uServlet 2002-12-19 09:42:13 StandardContext[]: Trying exact match 2002-12-19 09:42:13 StandardContext[]: Trying prefix match 2002-12-19 09:42:13 StandardContext[]: Trying extension match 2002-12-19 09:42:13 StandardContext[]: Trying default match 2002-12-19 09:42:13 StandardContext[]: Mapped to servlet 'default' with servlet path '/servlet/uServlet' and path info 'null' and update=true 2002-12-19 09:42:13 default: DefaultServlet.serveResource: Serving resource '/servlet/uServlet' headers and data In my server.xml I have Engine name=Standalone defaultHost=localhost debug=9 Host name=localhost debug=0 appBase=/home/unit unpackWARs=true autoDeploy=true Context path= docBase=/home/unit crossContext=true debug=9 reloadable=false /Context #ls -ls /home/unit/WEB-INF/classes total 104 32 -rwxrwxrwx1 apache apache 32734 Dec 18 21:31 bbsServlet.class 4 drwxrwxrwx3 apache apache 4096 Aug 24 22:19 com 36 -rw-rw-r--1 apache apache 33984 Nov 6 15:43 EditjsServlet.class 32 -rwxrwxrwx1 apache apache 31030 Dec 18 21:31 uServlet.class Thanks for any Help!!! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Should not be this hard(why is this a security risk)
See these messages: http://www.mail-archive.com/announcements@jakarta.apache.org/msg00122.ht ml http://www.mail-archive.com/announcements@jakarta.apache.org/msg00128.ht ml -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 -Original Message- From: Randy Paries [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 11:20 AM To: 'Tomcat Users List' Subject: RE: Should not be this hard(why is this a security risk) That is what I needed ... Thanks all To follow this up, why is this a security risk? Do they want specific mapping for each servlet? Thanks -Original Message- From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 9:54 AM To: 'Tomcat Users List' Subject: RE: Should not be this hard From the release notes Enabling invoker servlet: Starting with Tomcat 4.1.12, the invoker servlet is no longer available by default in all webapp. Enabling it for all webapps is possible by editing $CATALINA_HOME/conf/web.xml to uncomment the /servlet/* servlet-mapping definition. Using the invoker servlet in a production environment is not recommended and is unsupported. -Original Message- From: Randy Paries [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 8:51 AM To: 'Tomcat Users List' Subject: Should not be this hard Hello, me again This should have been so easy (famous last words) I am upgrading from tomcat jakarta-tomcat-4.0.4 to jakarta-tomcat-4.1.17 4.0.4 was working fine. For some reason I can not find my servlets ARG! In my web.xml I have a load-on-startup/ and in the log file , the servlet Starts ok But if I goto http://bart.mydomain.com:8080/servlet/uServlet I get a 404... Here is some details. I have to be missing something very simple. My static html and jsps work ok when I goto http://bart.mydomain.com:8080/index.html http://bart.mydomain.com:8080/jsp/dirgloblogin.jsp But if I goto http://bart.mydomain.com:8080/servlet/uServlet I get a 404 from the log file I get : 2002-12-19 09:42:13 StandardContext[]: Mapping contextPath='' with requestURI='/servlet/uServlet' and relativeURI='/servlet/uServlet 2002-12-19 09:42:13 StandardContext[]: Trying exact match 2002-12-19 09:42:13 StandardContext[]: Trying prefix match 2002-12-19 09:42:13 StandardContext[]: Trying extension match 2002-12-19 09:42:13 StandardContext[]: Trying default match 2002-12-19 09:42:13 StandardContext[]: Mapped to servlet 'default' with servlet path '/servlet/uServlet' and path info 'null' and update=true 2002-12-19 09:42:13 default: DefaultServlet.serveResource: Serving resource '/servlet/uServlet' headers and data In my server.xml I have Engine name=Standalone defaultHost=localhost debug=9 Host name=localhost debug=0 appBase=/home/unit unpackWARs=true autoDeploy=true Context path= docBase=/home/unit crossContext=true debug=9 reloadable=false /Context #ls -ls /home/unit/WEB-INF/classes total 104 32 -rwxrwxrwx1 apache apache 32734 Dec 18 21:31 bbsServlet.class 4 drwxrwxrwx3 apache apache 4096 Aug 24 22:19 com 36 -rw-rw-r--1 apache apache 33984 Nov 6 15:43 EditjsServlet.class 32 -rwxrwxrwx1 apache apache 31030 Dec 18 21:31 uServlet.class Thanks for any Help!!! -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Should not be this hard(why is this a security risk)
These messages indicate that a fix is in the works: A new Tomcat 4.1.x release incorporating the fix to the invoker servlet will be made available shortly. Am I reading this correctly as saying the quick fix is to disable the invoker, but the long term fix is to change the invoker to make the problem go away? Larry [EMAIL PROTECTED] 12/19/02 09:38 AM See these messages: http://www.mail-archive.com/announcements@jakarta.apache.org/msg00122.html http://www.mail-archive.com/announcements@jakarta.apache.org/msg00128.html -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Should not be this hard(why is this a security risk)
-Original Message- From: Larry Meadors [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 12:09 PM To: [EMAIL PROTECTED] Subject: RE: Should not be this hard(why is this a security risk) These messages indicate that a fix is in the works: A new Tomcat 4.1.x release incorporating the fix to the invoker servlet will be made available shortly. Am I reading this correctly as saying the quick fix is to disable the invoker, but the long term fix is to change the invoker to make the problem go away? Actually, it's more the other way around. The quick fix was to patch the invoker servlet so that it doesn't allow you to invoke built-in servlets (such as the DefaultServlet). That eliminates the specific JSP source vulnerability that was reported in those messages. However, other servlets could have analogous problems. If for some reason you write a custom servlet that serves file content, for example, it could be vulnerable. Worse, any third-party servlets in your classpath can be executed, regardless of whether you actually use them or not in your application. All things said, the invoker servlet is a liability, and it's certainly not necessary in any case. It's best to use explicit mappings. -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 Larry [EMAIL PROTECTED] 12/19/02 09:38 AM See these messages: http://www.mail-archive.com/announcements@jakarta.apache.org/msg00122.ht ml http://www.mail-archive.com/announcements@jakarta.apache.org/msg00128.ht ml -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Should not be this hard(why is this a security risk)
On Thu, 19 Dec 2002, Tim Moore wrote: Date: Thu, 19 Dec 2002 12:48:37 -0500 From: Tim Moore [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: RE: Should not be this hard(why is this a security risk) -Original Message- From: Larry Meadors [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 12:09 PM To: [EMAIL PROTECTED] Subject: RE: Should not be this hard(why is this a security risk) These messages indicate that a fix is in the works: A new Tomcat 4.1.x release incorporating the fix to the invoker servlet will be made available shortly. Am I reading this correctly as saying the quick fix is to disable the invoker, but the long term fix is to change the invoker to make the problem go away? Actually, it's more the other way around. The quick fix was to patch the invoker servlet so that it doesn't allow you to invoke built-in servlets (such as the DefaultServlet). That eliminates the specific JSP source vulnerability that was reported in those messages. However, other servlets could have analogous problems. If for some reason you write a custom servlet that serves file content, for example, it could be vulnerable. Worse, any third-party servlets in your classpath can be executed, regardless of whether you actually use them or not in your application. All things said, the invoker servlet is a liability, and it's certainly not necessary in any case. It's best to use explicit mappings. I agree with the above. For those who have existing applications based on /servlet/foo type URLs, you can emulate what the invoker servlet does by defining your servlet mappings cleverly. Assume you've got servlet classes com.mypackage.Foo and com.mypackage.Bar that you access with URLs like /servlet/com.mypackage.Foo and /servlet.mypackage.Bar. Adding the following to your web.xml will make those URLs work just as before without adding the vulnerability: servlet servlet-namefoo/servlet-name servlet-classcom.mypackage.Foo/servlet-class /servlet servlet servlet-namebar/servlet-name servlet-classcom.mypackage.Bar/servlet-class /servlet servlet-mapping servlet-namefoo/servlet-name url-pattern/servlet/com.mypackage.Foo/*/url-pattern /servlet-mapping servlet-mapping servlet-namebar/servlet-name url-pattern/servlet/com.mypackage.Bar/*/url-pattern /servlet-mapping Of course, you can also map your servlets to any other context-relative URL that you like, so you can make the URLs your users see prettier. -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Should not be this hard(why is this a security risk)
Just a guess... Because someone could theoretically drop a servlet into your file system programmed to issue commands passed in as a parameter and execute them as root? - Original Message - From: Randy Paries [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, December 19, 2002 10:19 AM Subject: RE: Should not be this hard(why is this a security risk) That is what I needed ... Thanks all To follow this up, why is this a security risk? Do they want specific mapping for each servlet? Thanks -Original Message- From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 9:54 AM To: 'Tomcat Users List' Subject: RE: Should not be this hard From the release notes Enabling invoker servlet: Starting with Tomcat 4.1.12, the invoker servlet is no longer available by default in all webapp. Enabling it for all webapps is possible by editing $CATALINA_HOME/conf/web.xml to uncomment the /servlet/* servlet-mapping definition. Using the invoker servlet in a production environment is not recommended and is unsupported. -Original Message- From: Randy Paries [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 8:51 AM To: 'Tomcat Users List' Subject: Should not be this hard Hello, me again This should have been so easy (famous last words) I am upgrading from tomcat jakarta-tomcat-4.0.4 to jakarta-tomcat-4.1.17 4.0.4 was working fine. For some reason I can not find my servlets ARG! In my web.xml I have a load-on-startup/ and in the log file , the servlet Starts ok But if I goto http://bart.mydomain.com:8080/servlet/uServlet I get a 404... Here is some details. I have to be missing something very simple. My static html and jsps work ok when I goto http://bart.mydomain.com:8080/index.html http://bart.mydomain.com:8080/jsp/dirgloblogin.jsp But if I goto http://bart.mydomain.com:8080/servlet/uServlet I get a 404 from the log file I get : 2002-12-19 09:42:13 StandardContext[]: Mapping contextPath='' with requestURI='/servlet/uServlet' and relativeURI='/servlet/uServlet 2002-12-19 09:42:13 StandardContext[]: Trying exact match 2002-12-19 09:42:13 StandardContext[]: Trying prefix match 2002-12-19 09:42:13 StandardContext[]: Trying extension match 2002-12-19 09:42:13 StandardContext[]: Trying default match 2002-12-19 09:42:13 StandardContext[]: Mapped to servlet 'default' with servlet path '/servlet/uServlet' and path info 'null' and update=true 2002-12-19 09:42:13 default: DefaultServlet.serveResource: Serving resource '/servlet/uServlet' headers and data In my server.xml I have Engine name=Standalone defaultHost=localhost debug=9 Host name=localhost debug=0 appBase=/home/unit unpackWARs=true autoDeploy=true Context path= docBase=/home/unit crossContext=true debug=9 reloadable=false /Context #ls -ls /home/unit/WEB-INF/classes total 104 32 -rwxrwxrwx1 apache apache 32734 Dec 18 21:31 bbsServlet.class 4 drwxrwxrwx3 apache apache 4096 Aug 24 22:19 com 36 -rw-rw-r--1 apache apache 33984 Nov 6 15:43 EditjsServlet.class 32 -rwxrwxrwx1 apache apache 31030 Dec 18 21:31 uServlet.class Thanks for any Help!!! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
