Hi. I've just confirmed that Velocity (at least in Turbine v2.1) suffers from this problem.
Regards, Dan On Wed, 25 Sep 2002, Rossen Raykov wrote: > The servlets are not vulnerable since their code is under WEB-INF and is > successfully protected from downloads. > All other interpreted application stuff, outside of WEB-INF, like JSP are > vulnerable since they can be downloaded as regular files but not be > processed by the corresponding engine. > That's why I believe Velocity should suffer from this bug in the same way > JSP is. > I didn't test Velocity but there is not any reason that it will be resistant > to this exposure. > > Regards, > Rossen Raykov > > > -----Original Message----- > > From: Kent Perrier [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, September 24, 2002 6:59 PM > > To: Tomcat Users List > > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source > > disclosurevulnerability > > > > > > On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: > > > OK, thanks. (The BugTraq search engine wasn't working when I checked > > > there.) > > > > > > So it sounds pretty much like what I thought it was. I still don't > > > understand why Velocity wouldn't be vulnerable to this exploit. > > > > It sounds to me like it should be. From the bugtraq post, > > all servlets > > and JSPs that run in a Tomcat instance are vulnerable. Since Velocity > > runs under Tomcat, logically, it is vulnerable. All other claims are > > illogical. > > > > Kent > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>