Robert, That's one. The other is if you have a servlet sitting in your app that should be called by another class. If the hacker gets lucky he could call this servlet with his own query/post from the URL and bypass any check/security you may have in the calling servlet. Now if the nonpublic servlet can access thing and return them to the client you could have a big hole for the hacker to look into your data with.
Now with this in mind suppose the servlet can query a database using the querystring data and the database contains sensitive data. Hackers seem to have this unlimited amount of time to try thousands of combinations until they get a response. Once they figure out your structure your sunk. Look at all your servlets and ask what can they do if you call them directly. Can their use be twisted? Now let your imagination flow. Doug ----- Original Message ----- From: "Robert Mazur" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Monday, March 29, 2004 10:30 AM Subject: Re: JSP works, Servlet does not work > On Saturday 27 March 2004 17:07, Phillip Rhodes wrote: > > Robert Mazur wrote: > > > SUMAMRY: > > > JSP's work, but servlets give: > > > HTTP Status 404 - /sampleapp/servlet/samplepackage.SampleServlet > > > > Offhand, this sounds like the problem people experience because > > newer versions of Tomcat ship with the Invoker servlet > > disabled by default. Take a look at this page, > > and see if this helps: > > > > http://www.cs.fiu.edu/~downeyt/cgs4825/context.html > > > > You can tell if this is the problem you're having if > > you define a servlet mapping in your web.xml and you > > can access your servlet that way, but accessing it using > > the /servlet/whatever url pattern fails. > > > > HTH.. otherwise, hopefully some of the more knowledgeable > > list members will chime in.. > > > > TTYL, > > > > Phil > Phil and Doug, > > Thanks to you both for the help. I have it working now. Man, I am so > psyched that I can stop beating my head against the wall. I was definately > cruising down the wrong path in trying to fix this problem. Your posts saved > me a lot of grief. > > So as Doug mentioned, leaving the invoker "open" as default can lead to evil. > Is this because then Tomcat would be willing to invoke any old servlet that I > cracker might manager to upload to your server? So all the mapping in > web.xml is extra insurance that Tomcat will execute only what you want it to? > > If that is not the reason, could someone mention what else the reasons could > be for the potential evil? > > Thanks guys! > Rob > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
