Do us, or rather me, a favor, and take your arrogant, l33t rant somewhere else. Believe me, I'm already awake.
John > -----Original Message----- > From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 24, 2002 5:26 PM > To: tomcat-dev; Tomcat Users List > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure > vulnerability > > > on 2002/9/24 4:59 AM, "Remy Maucherat" <[EMAIL PROTECTED]> wrote: > > > A security vulnerability has been confirmed to exist in all Apache > > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat > 4.1.10), which > > allows to use a specially crafted URL to return the > unprocessed source > > of a JSP page, or, under special circumstances, a static > resource which > > would otherwise have been protected by security constraint, > without the > > need for being properly authenticated. > > Once again...JSP sucks and Velocity is the right way to > go...you will never > have to worry about your container spilling your beans (pun intended). > > Given that Tomcat gets around 100k+ downloads/week...imagine how many > servers now need to be updated and how much money and time > that will cost to > do so? > > http://jakarta.apache.org/velocity/ > > Wake up people. Velocity is faster and more secure than JSP > will ever be. > > -jon > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
