The problem is not connected directly to the JSPs or the jsp engine. It's the default servlet that has the problem. I didn't test it but I believe using this vulnerability one can get Velocity also. What he will find inside - depends only on the programmers/designers in both cases.
Regards, Rossen > -----Original Message----- > From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 24, 2002 5:26 PM > To: tomcat-dev; Tomcat Users List > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure > vulnerability > > > on 2002/9/24 4:59 AM, "Remy Maucherat" <[EMAIL PROTECTED]> wrote: > > > A security vulnerability has been confirmed to exist in all Apache > > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat > 4.1.10), which > > allows to use a specially crafted URL to return the > unprocessed source > > of a JSP page, or, under special circumstances, a static > resource which > > would otherwise have been protected by security constraint, > without the > > need for being properly authenticated. > > Once again...JSP sucks and Velocity is the right way to > go...you will never > have to worry about your container spilling your beans (pun intended). > > Given that Tomcat gets around 100k+ downloads/week...imagine how many > servers now need to be updated and how much money and time > that will cost to > do so? > > http://jakarta.apache.org/velocity/ > > Wake up people. Velocity is faster and more secure than JSP > will ever be. > > -jon > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
