immediately so that I can correct and delete the original
email. Thank you.
:: -Original Message-
:: From: Schalk [mailto:[EMAIL PROTECTED]
:: Sent: Tuesday, June 08, 2004 9:27 PM
:: To: 'Tomcat Users List'
:: Subject: RE: JSP source being shown (not being executed)
::
:: I stand
: Tuesday, June 08, 2004 2:44 PM
To: Tomcat Users List
Subject: Re: JSP source being shown (not being executed)
Actually, I'm not running Apache right now. This has something
to do with my
servlet context (*.html) not being sent to the JSP engine -
it's treating it
like regular HTML right
For some reason my JSP source is being shown - it's not being compiled and
executed. It might be worthwhile mentioning that I am mapping some servlet
context as *.html, which redirects to this jsp - but it worked in another
app of mine and inside my new app it doesn't work.
I'm running Tomcat
Users List
:: Subject: JSP source being shown (not being executed)
::
:: For some reason my JSP source is being shown - it's not being compiled
and
:: executed. It might be worthwhile mentioning that I am mapping some
servlet
:: context as *.html, which redirects to this jsp - but it worked in another
[EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, June 08, 2004 11:23 AM
Subject: RE: JSP source being shown (not being executed)
Just a thought but, if you are running both Apache and Tomcat, Apache is
probably picking up the .html extension and tries to display the content
I have seen that before with JDK not in the system path.
-Original Message-
From: Michael Mehrle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 08, 2004 2:44 PM
To: Tomcat Users List
Subject: Re: JSP source being shown (not being executed)
Actually, I'm not running Apache right now
: Tuesday, June 08, 2004 11:50 AM
Subject: RE: JSP source being shown (not being executed)
I have seen that before with JDK not in the system path.
-Original Message-
From: Michael Mehrle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 08, 2004 2:44 PM
To: Tomcat Users List
Subject: Re
: Re: JSP source being shown (not being executed)
::
:: Actually, I'm not running Apache right now. This has something to do with
my
:: servlet context (*.html) not being sent to the JSP engine - it's treating
it
:: like regular HTML right now. Strange, since my other mappings seem to
work
:: fine
the original
email. Thank you.
:: -Original Message-
:: From: Schalk [mailto:[EMAIL PROTECTED]
:: Sent: Tuesday, June 08, 2004 9:27 PM
:: To: 'Tomcat Users List'
:: Subject: RE: JSP source being shown (not being executed)
::
:: I stand under correction but, it may even be that this not allowed
. Thanks, Jeff (and all others who offered a suggestion.)
Good luck,
Jeff
-Original Message-
From: Guy Rouillier [mailto:[EMAIL PROTECTED]
Sent: Monday, January 19, 2004 5:36 PM
To: Tomcat Users List
Subject: Mozilla showing JSP source code
I've tried to do due diligence
Getting off the topic of visible JSP source here, but ...
Note that an HTTP redirect isn't just an additional header, it also means a
different response status (302 Moved Temporarily instead of 200 OK).
I was under the impression that calling response.sendRedirect cleared the
buffer and caused
Sean Utt wrote:
Hi,
I used to see this when doing a response.sendRedirect()
without following it with a return(), but didn't see jsp
source, just html source. I did have a problem with mod_jk
showing .jsp source when the URI contained a // in the path
like http://dom.ain/context//file.jsp
examples on the web, but can't get them to work. I'll keep
plugging away.
Good luck,
Jeff
-Original Message-
From: Guy Rouillier [mailto:[EMAIL PROTECTED]
Sent: Monday, January 19, 2004 5:36 PM
To: Tomcat Users List
Subject: Mozilla showing JSP source code
I've tried
PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Tuesday, January 20, 2004 8:44 AM
Subject: RE: Mozilla showing JSP source code
Sean Utt wrote:
Hi,
I used to see this when doing a response.sendRedirect()
without following it with a return(), but didn't see jsp
source, just html source
I've tried to do due diligence on this issue, searching the archives as
well as Google. I'm sure it is a common problem, but I found several
questions and no definitive responses, so here goes. Our website works
fine with IE, but we're having a significant problem with Mozilla (and
derivatives
showing JSP source code
I've tried to do due diligence on this issue, searching the archives as
well as Google. I'm sure it is a common problem, but I found several
questions and no definitive responses, so here goes. Our website works
fine with IE, but we're having a significant problem
Hi,
I used to see this when doing a response.sendRedirect() without following it
with a return(), but didn't see jsp source, just html source. I did have a
problem with mod_jk showing .jsp source when the URI contained a // in the
path like http://dom.ain/context//file.jsp, but that sounds like
Hi
i have just configured JK_MOD 1.2.3 for apache2.0.48 with Tomcat 4.1.29 on RH 9.0.
When i run my web apps from apache i get to see the source code of JSP instead of the
JSP page itself. How do i fix this?
regards
suneel
Using tomcat 4.1.18 I get the following error when trying to view my JSP
page:
An error occurred at line: -1 in the jsp file: null
Generated servlet error:
[javac] Compiling 1 source file
F:\Program
http://jakarta.apache.org/tomcat/faq/misc.html#compile
-Tim
Joe McGranaghan wrote:
Using tomcat 4.1.18 I get the following error when trying to view my JSP
page:
An error occurred at line: -1 in the jsp file: null
Generated servlet error:
[javac] Compiling 1 source file
F:\Program
Thanks for your help Tim.
From: Tim Funk [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: JSP source compilation error
Date: Sun, 06 Jul 2003 12:02:34 -0400
http://jakarta.apache.org/tomcat/faq/misc.html#compile
-Tim
Joe
Hi there,
is there a official way to change the source of a JSP page from a
regular JSP file to a String read from a database? I think that Jasper
uses a subclass of java.io.Reader to read the file
(org.apache.jasper.compiler.JspReader) - so maybe there's a way to use a
java.io.StringReader
Sorry for asking some dumb question. I'm not a unix person.
What is wget and sendmail?
I cannot see those commands in UNIX.
Thanks
Deepa
-Original Message-
From: Will Hartung [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 1:43 AM
To: Tomcat Users List
Subject: Re: JSP source
Google is your friend:
http://www.google.com/search?q=wget
http://www.google.com/search?q=sendmail
-Original Message-
From: Deepa Raja [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 10:29 AM
To: Tomcat Users List
Subject: RE: JSP source
Sorry for asking some dumb
: Friday, January 10, 2003 4:29 AM
To: Tomcat Users List
Subject: RE: JSP source
Sorry for asking some dumb question. I'm not a unix person.
What is wget and sendmail?
I cannot see those commands in UNIX.
Thanks
Deepa
-Original Message-
From: Will Hartung [mailto:[EMAIL
Hi
I want to do some reporting that is to be called by a cron job.
I do not want to use a reporting tool. Can use JSP
* to talk to the database
* fetch the relevant details
* format the details as a report
* fetch the HTML source of the generated report
*
From: Turner, John [EMAIL PROTECTED]
Sent: Friday, January 10, 2003 5:08 AM
Subject: RE: JSP source
wget is a text-based client that can make HTTP and FTP requests, copying
the
results to a file.
wget is a popular program, but may not be installed on your system, so
you'll need to hunt
Hi
I want to do some reporting that is to be called by a cron job.
I do not want to use a reporting tool. Can use JSP
* to talk to the database
* fetch the relevant details
* format the details as a report
* fetch the HTML source of the generated report
*
-Original Message-
From: Deepa Raja [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 8:30 AM
To: [EMAIL PROTECTED]
Subject: JSP source
Hi
I want to do some reporting that is to be called by a cron job.
I do not want to use a reporting tool. Can use JSP
-Original Message-
From: Deepa Raja [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 8:30 AM
To: [EMAIL PROTECTED]
Subject: JSP source
Hi
I want to do some reporting that is to be called by a cron job.
I do not want to use a reporting tool. Can use JSP
b) reads the HTML
c) mails it to the intended recipients.
3. Write a cron job to run your email component
Andy
-Original Message-
From: Deepa Raja [mailto:[EMAIL PROTECTED]]
Sent: 09 January 2003 15:43
To: Tomcat Users List
Subject: RE: JSP source
Hi John
With JSP it is like
Exactly.
Something like java.net.URLConnection.getContent(), I believe.
John
-Original Message-
From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 10:48 AM
To: 'Tomcat Users List'
Subject: RE: JSP source
Fetching the HTML is straightforward
From: Bodycombe, Andrew [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Subject: RE: JSP source
Fetching the HTML is straightforward. Just create a URL connection and
read
the data from the stream.
Yup, great idea Andy, but too much work.
Stick this in your cron tab
#!/bin/sh
A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected
Could you send us your httpd.conf and workers.properties setup ?
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
]]
Gesendet: Donnerstag, 3. Oktober 2002 14:23
An: [EMAIL PROTECTED]
Betreff: Re: JSP Source visible with mod_jk
Could you send us your httpd.conf and workers.properties setup ?
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED
Hi,
I have an application run on a TC 4.0.5 and Apache 1.3.20 with mod_jk
with a ajp13 Connector.
Let's say i have an url http://www.mydomain.com/mydir/index.jsp.
When i enter http://www.mydomain.com/mydir/index i got the source code
of this jsp.
If read the security updates on
Carrie Salazar wrote:
I did see my JSP source whe I tried this bug (Tomcat 4.0.4/Apache
2.0.40). I just deleted my JKMount to servlet and mapped only
the applications being used as mentioned in this group and
now I can no longer see my JSP source with this method.
I'll eventually move
Maybe I don't understand, but DefaultServlet, which is supposed to serve
static content is disabled... How are we supposed to serve up pictures, etc
that are static??
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
The DefaultServlet is ok. But is was being called by the invoker
servlet in a roundabout (unintended manner). The invoker servlet is
typically mapped to /servlet/*
The invoker servlet should be disabled. Or restricted using many of
the ways described in other threads.
You should be fine
content. But the trouble is originating in the invoker servlet.
Andreas Mohrig
-Original Message-
From: Adam Greene [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 2:47 PM
To: Tomcat Users List
Subject: Questions about [SECURITY] Apache Tomcat 4.x JSP source
disclosure
assume 4.1.X as well) --
look for invoker in it.
-Original Message-
From: Adam Greene [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 2:47 PM
To: Tomcat Users List
Subject: Questions about [SECURITY] Apache Tomcat 4.x JSP source
disclosure vulnerability
Maybe I don't
Message-
From: Brad Plies [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 7:26 PM
To: Tomcat Users List
Subject: RE: Jsp source disclosure patch for legacy type 1
architectures
Thanks for the reply Tim,
I had downloaded and installed Apache Tomcat 4.1.12
(link
Good eye!
On the other hand, the thing you posted to jguru has
the opposite
problem. You'll need to add a second servlet
mapping to the source
disclosure blocker for
/servlet/org.apache.catalina.servlets.DefaultServlet/
__
Do you Yahoo!?
3.2 Workaround:
There are at least two ways to protect from this vulnerability.
A. Tomcat in tandem with HTTP server front-end:
If you are using front-end HTTP server you can filter all
requests with the pattern */servlet/org.apache.catalina.servlets.DefaultServlet*
b. If you are using
24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
there.)
So it sounds pretty much like
to this exposure.
Regards,
Rossen Raykov
-Original Message-
From: Kent Perrier [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002
that it will be resistant
to this exposure.
Regards,
Rossen Raykov
-Original Message-
From: Kent Perrier [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't
]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
/index.jsp) and all I got was a tomcat 404 error page.
Has anyone actually been able to view their JSP source via this
vulnerability?
Mona
==
Mona Wong-Barnum
National Center for Microscopy and Imaging
/ Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863
-Original Message-
From: Mona Wong-Barnum [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 6:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosure
I am not sure about the process of offering patches
workarounds, but anyway, according to
http://jakarta.apache.org/site/news.html#0924.1 the
latest patch is actually only a disabling of the
Invoker servlet. However some people with old code
that who are relying on the Invoker servlet and
PROTECTED]]
Sent: Wednesday, September 25, 2002 6:53 PM
To: [EMAIL PROTECTED]
Subject: Jsp source disclosure patch for legacy type 1 architectures
I am not sure about the process of offering patches
workarounds, but anyway, according to
http://jakarta.apache.org/site/news.html#0924.1
]
Subject: Jsp source disclosure patch for legacy
type 1 architectures
I am not sure about the process of offering
patches
workarounds, but anyway, according to
http://jakarta.apache.org/site/news.html#0924.1
the latest
patch is actually only a disabling of the Invoker
servlet
I did see my JSP source whe I tried this bug (Tomcat 4.0.4/Apache
2.0.40). I just deleted my JKMount to servlet and mapped only
the applications being used as mentioned in this group and
now I can no longer see my JSP source with this method.
I'll eventually move to Tomcat 4.0.5 but I wanted
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL to return the unprocessed source
of a JSP page, or, under special circumstances, a static resource which
would
Tomcat 4.x JSP source exposure security advisory
1. Summary
Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet.
2. Details:
Let say you have valid URL like
Rossen Raykov wrote:
Tomcat 4.x JSP source exposure security advisory
1. Summary
Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet.
--= [ cut ] =--
3
Veniamin Fichin wrote:
Rossen Raykov wrote:
Tomcat 4.x JSP source exposure security advisory
1. Summary
Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet
: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat
4.1.10), which
allows to use a specially
:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 5:26 PM
To: tomcat-dev; Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist
,
Rossen
-Original Message-
From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 5:26 PM
To: tomcat-dev; Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL to return the unprocessed source
of a JSP page, or,
Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
I'm having a hard time finding many specifics about this exploit. It
sounds like you're forcing the default servlet to serve up the source
page as static content. Why isn't Velocity vulnerable in the
same way?
I'll
/ Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863
-Original Message-
From: Rossen Raykov [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:17 PM
To: 'Tomcat Users List'
Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
See
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
there.)
So it sounds pretty much like what I thought it was. I still don't
understand why Velocity wouldn't be vulnerable to this exploit.
It sounds to me like it
... or anything else tomcat modifies during retrieve?
Ray Allis
haven?t been able
to get it up and running.
The problem:
- Requesting a JSP page by doing a request via port 8080 works fine
- Requesting a JSP page via apache and mod_jk returns the JSP source
code
Is seems that requests to JSPs are not directed to port 8007 of Tomcat.
I try to give
a request via port 8080 works fine
- Requesting a JSP page via apache and mod_jk returns the JSP source
code
Is seems that requests to JSPs are not directed to port 8007 of Tomcat.
I try to give a concise description below, hopefully somebody can tell
what I?m missing. It must be something simple
,
monitored the mailing list and unfortunately I still haven?t been able
to get it up and running.
The problem:
- Requesting a JSP page by doing a request via port 8080 works fine
- Requesting a JSP page via apache and mod_jk returns the JSP source
code
Is seems that requests to JSPs
- Requesting a JSP page via apache and mod_jk returns the JSP source
code
Is seems that requests to JSPs are not directed to port 8007 of Tomcat.
I try to give a concise description below, hopefully somebody can tell
what I?m missing. It must be something simple...
Apache version: 1.3.14
I noticed that if I precompile JSP with jspc and setup servlet mapping
in web.xml,
changes to the original JSP file will not be picked up by Tomcat. Can I
have both
or are they mutually exclusive?
Bill
-
To unsubscribe,
They are mutually exclusive.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 16, 2001 2:01 PM
To: [EMAIL PROTECTED]
Subject: precompile JSP with jspc picking up changes in JSP source
I noticed that if I precompile JSP with jspc
74 matches
Mail list logo