Regarding the recent XSS vulnerability reported with Tomcat 4.0.3. The recommended solution is to upgrade to 4.1.3-beta (I see 4.1.7-beta has been released). The alert doesn't mention any other version of apache tomcat besides 4.0.3, but probably 4.0.4 is vulnerable too? I'm on a linux platform and just upgraded to 4.0.4 release via rpm yesterday (bravo for the FHS changes). Tomcat and apache httpd are talking with mod_webapp.so.
Since I can't upgrade to the latest beta (trying to stick with RPM's), the suggested workaround is to unmap /servlet/ in tomcat's web.xml. By unmapping that, what changes would I likely need to make in the tomcat or webapps web.xml to avoid 404 errors (i.e. The requested resource (/blah/) is not available.)? Would I need to do this for each .jsp in that webapp? Beyond that, am I also likely to need to add an entry WEB-INF/web.xml for each .jar in its WEB-INF/lib? What would these entries be if any? Thanks for any and all help. ~ Daniel -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
