Hi,
Regarding the recent advisory from Westpoint Security: ------------------------------------- Westpoint Security Advisory Title: Apache Tomcat Cross Site Scripting Risk Rating: Low Software: Apache Tomcat v4.0.3 Platforms: WinNT, Win2k, Linux Vendor URL: jakarta.apache.org Author: Matt Moore <[EMAIL PROTECTED]> Date: 10th July 2002 Advisory ID#: wp-02-0008 Overview: ========= Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat has a couple of Cross Site Scripting vulnerabilities. <SNIPPED> Patch Information: ================== Upgrading to v4.1.3 beta resolves the DOS device name XSS issue. The workaround for the other XSS issues described above is as follows: The "invoker" servlet (mapped to /servlet/), which executes anonymous servlet classes that have not been defined in a web.xml file should be unmapped. The entry for this can be found in the /tomcat-install-dir/conf/web.xml file. ------------------------------------- What does one need to do exactly regarding the work-around for 4.0.x versions of Tomcat? Unmapping the "invoker" servlet for /servlet/ seems to disable my webapps! Or am I misinterpreting this? TIA. Regards, Dan -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
