OK, thanks. (The BugTraq search engine wasn't working when I checked there.)
So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > -----Original Message----- > From: Rossen Raykov [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 24, 2002 6:17 PM > To: 'Tomcat Users List' > Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source > disclosurevulnerability > > > See the original posting on BugTrag for more details > http://online.securityfocus.com/archive/1/292936/2002-09-21/20 > 02-09-27/0 > > Regards, > Rossen Raykov > > > > -----Original Message----- > > From: Tim Moore [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, September 24, 2002 5:34 PM > > To: Tomcat Users List > > Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source > > disclosurevulnerability > > > > > > I'm having a hard time finding many specifics about this > exploit. It > > sounds like you're forcing the default servlet to serve up > the source > > page as static content. Why isn't Velocity vulnerable in the same > > way? > > > > I'll buy that Velocity is faster than JSP, and certainly > can be more > > concise and readable. I haven't seen much about security. > What makes > > it more secure than JSP? > > -- > > Tim Moore / Blackboard Inc. / Software Engineer > > 1899 L Street, NW / 5th Floor / Washington, DC 20036 > > Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > > > > > > > -----Original Message----- > > > From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, September 24, 2002 5:26 PM > > > To: tomcat-dev; Tomcat Users List > > > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source > > > disclosurevulnerability > > > > > > > > > on 2002/9/24 4:59 AM, "Remy Maucherat" <[EMAIL PROTECTED]> wrote: > > > > > > > A security vulnerability has been confirmed to exist in > > all Apache > > > > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat > > > 4.1.10), which > > > > allows to use a specially crafted URL to return the > > > unprocessed source > > > > of a JSP page, or, under special circumstances, a > static resource > > > > which would otherwise have been protected by security > constraint, > > > > without the need for being properly authenticated. > > > > > > Once again...JSP sucks and Velocity is the right way to > > > go...you will never have to worry about your container > > > spilling your beans (pun intended). > > > > > > Given that Tomcat gets around 100k+ downloads/week...imagine > > > how many servers now need to be updated and how much money > > > and time that will cost to do so? > > > > > http://jakarta.apache.org/velocity/ > > > > Wake up people. Velocity is faster and more secure than JSP > will ever > > be. > > > > -jon -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
