On Mon, 3 Mar 2003, Mike Silvers wrote: > I am using Tomcat as an Apache plug in for my servlet engine. > Neither of these characters will cause the jsp to show the source. > Can you direct me to a resource that will inform me about these > issues? I have never heard of these issues while using Tomcat as > the servlet/jsp container. I would like to evaluate the security of > our server.
What version of Tomcat are you using? This was a problem in something like versions 4.0.4 and 4.1.12, but it's been fixed in later versions. You can check the archives of the tomcat-user list for more info -- the vulnerability (and fixes/patches) were announced there. > ----- Original Message ----- > From: "Gang Zhang" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 28, 2003 4:19 PM > Subject: Re: Is JSP or Servlet more secure? > > > > sometimes ago a friend of mine found that some jsp engines will show jsp > > source by appending > > chars like '/' or %00 (there are more examples). The cause of that is > sun's > > java file io package > > will open a file even if there are wired stuff appended to the end. At > the > > same time the engine > > think the requested string is not a jsp because there are things appended > to > > it. > > > > Since you brought it up I think it is a good time to put it on the mailing > > list. > > > > Gang > > > > The source of the jsp could be hamfull to be seen if it contains passwords > > to database systems > > or other such info. It might be a good idea to use a bean to to that kind > > of the stuff and just let > > the jsp invoke the bean > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, February 28, 2003 2:45 PM > > Subject: Re: Is JSP or Servlet more secure? > > > > > > > Thanks for your quick response Mike. One reason I asked this question - > On > > > Google, Servlet+Security gives 258,000 hits, while JSP+Security nets > > > 1,240,000 hits. > > > > > > One reason could be that since JSPs are easier to use, and more is > > > written about it. > > > > > > There was another reason it could be so (speculation follows). The > servlet > > > classes are put in WEB-INF that is only readable by server (at least in > > > Tomcat). > > > JSPs are generally in HTML area that are easier to get to. Even > > > generated servlets > > > from JSPs land up in work directory, that may be easier to get to than > > > WEB-INF. > > > Just wondering whether this relatively easier access to source of JSPs > > > may be a > > > potential vulnerability. > > > > > > das > > > > > > Mike Silvers wrote: > > > > > > >No. The main difference is the ease of use for creating HTML > documents. > > > >The jsp makes it easier to create HTML documents. When a jsp is used, > > it > > > >is first compiled into a servlet and then used. > > > > > > > >Mike > > > > > > > >----- Original Message ----- > > > >From: <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]> > > > >Sent: Friday, February 28, 2003 2:12 PM > > > >Subject: Is JSP or Servlet more secure? > > > > > > > > > > > >>For creating a totally new web site, is there any difference from > > > >>security point of view of using only servlets or using only JSPs? > > > >> > > > >>das > > > >> > > > > > > > > > ___________________________________________________________________________ > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > > body > > > of the message "signoff SERVLET-INTEREST". > > > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > > Resources: http://java.sun.com/products/servlet/external-resources.html > > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > > > > > ___________________________________________________________________________ > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > body > > of the message "signoff SERVLET-INTEREST". > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > Resources: http://java.sun.com/products/servlet/external-resources.html > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
