Thank you for this information. The person who told me about it tested on some other webservers, I forget the names and didn't keep his e-mail. Next time I will do a better job :-) I told him to post on this group but I guess he forget...
Gang ----- Original Message ----- From: "Milt Epstein" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 03, 2003 7:53 AM Subject: Re: Is JSP or Servlet more secure? > On Mon, 3 Mar 2003, Mike Silvers wrote: > > > I am using Tomcat as an Apache plug in for my servlet engine. > > Neither of these characters will cause the jsp to show the source. > > Can you direct me to a resource that will inform me about these > > issues? I have never heard of these issues while using Tomcat as > > the servlet/jsp container. I would like to evaluate the security of > > our server. > > What version of Tomcat are you using? This was a problem in something > like versions 4.0.4 and 4.1.12, but it's been fixed in later versions. > You can check the archives of the tomcat-user list for more info -- > the vulnerability (and fixes/patches) were announced there. > > > > > ----- Original Message ----- > > From: "Gang Zhang" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, February 28, 2003 4:19 PM > > Subject: Re: Is JSP or Servlet more secure? > > > > > > > sometimes ago a friend of mine found that some jsp engines will show jsp > > > source by appending > > > chars like '/' or %00 (there are more examples). The cause of that is > > sun's > > > java file io package > > > will open a file even if there are wired stuff appended to the end. At > > the > > > same time the engine > > > think the requested string is not a jsp because there are things appended > > to > > > it. > > > > > > Since you brought it up I think it is a good time to put it on the mailing > > > list. > > > > > > Gang > > > > > > The source of the jsp could be hamfull to be seen if it contains passwords > > > to database systems > > > or other such info. It might be a good idea to use a bean to to that kind > > > of the stuff and just let > > > the jsp invoke the bean > > > > > > ----- Original Message ----- > > > From: <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Friday, February 28, 2003 2:45 PM > > > Subject: Re: Is JSP or Servlet more secure? > > > > > > > > > > Thanks for your quick response Mike. One reason I asked this question - > > On > > > > Google, Servlet+Security gives 258,000 hits, while JSP+Security nets > > > > 1,240,000 hits. > > > > > > > > One reason could be that since JSPs are easier to use, and more is > > > > written about it. > > > > > > > > There was another reason it could be so (speculation follows). The > > servlet > > > > classes are put in WEB-INF that is only readable by server (at least in > > > > Tomcat). > > > > JSPs are generally in HTML area that are easier to get to. Even > > > > generated servlets > > > > from JSPs land up in work directory, that may be easier to get to than > > > > WEB-INF. > > > > Just wondering whether this relatively easier access to source of JSPs > > > > may be a > > > > potential vulnerability. > > > > > > > > das > > > > > > > > Mike Silvers wrote: > > > > > > > > >No. The main difference is the ease of use for creating HTML > > documents. > > > > >The jsp makes it easier to create HTML documents. When a jsp is used, > > > it > > > > >is first compiled into a servlet and then used. > > > > > > > > > >Mike > > > > > > > > > >----- Original Message ----- > > > > >From: <[EMAIL PROTECTED]> > > > > >To: <[EMAIL PROTECTED]> > > > > >Sent: Friday, February 28, 2003 2:12 PM > > > > >Subject: Is JSP or Servlet more secure? > > > > > > > > > > > > > > >>For creating a totally new web site, is there any difference from > > > > >>security point of view of using only servlets or using only JSPs? > > > > >> > > > > >>das > > > > >> > > > > > > > > > > > > > ___________________________________________________________________________ > > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > > > body > > > > of the message "signoff SERVLET-INTEREST". > > > > > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > > > Resources: http://java.sun.com/products/servlet/external-resources.html > > > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > > > > > > > > > ___________________________________________________________________________ > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > > body > > > of the message "signoff SERVLET-INTEREST". > > > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > > Resources: http://java.sun.com/products/servlet/external-resources.html > > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > > > > > > > ___________________________________________________________________________ > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > > of the message "signoff SERVLET-INTEREST". > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > Resources: http://java.sun.com/products/servlet/external-resources.html > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > Milt Epstein > Research Programmer > Integration and Software Engineering (ISE) > Campus Information Technologies and Educational Services (CITES) > University of Illinois at Urbana-Champaign (UIUC) > [EMAIL PROTECTED] > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
