I'm referring to Tomcat v4.0.4 with Turbine v2.1 on both Windows XP and Linux platforms, and yes it does suffer from the vulnerability.
I've not tried the fixed versions 4.0.5 or 4.1.12 yet. Regards, Dan On 25 Sep 2002, Rob Reed wrote: > please let me know if you are still experiencing this. It looks correct > to me right now. > > Thanks, > Rob Reed > Isomedia.com > > On Wed, 2002-09-25 at 14:28, Dan K. wrote: > > > > Hi. I've just confirmed that Velocity (at least in Turbine v2.1) > > suffers from this problem. > > > > Regards, > > Dan > > > > On Wed, 25 Sep 2002, Rossen Raykov wrote: > > > > > The servlets are not vulnerable since their code is under WEB-INF and is > > > successfully protected from downloads. > > > All other interpreted application stuff, outside of WEB-INF, like JSP are > > > vulnerable since they can be downloaded as regular files but not be > > > processed by the corresponding engine. > > > That's why I believe Velocity should suffer from this bug in the same way > > > JSP is. > > > I didn't test Velocity but there is not any reason that it will be resistant > > > to this exposure. > > > > > > Regards, > > > Rossen Raykov > > > > > > > -----Original Message----- > > > > From: Kent Perrier [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, September 24, 2002 6:59 PM > > > > To: Tomcat Users List > > > > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source > > > > disclosurevulnerability > > > > > > > > > > > > On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: > > > > > OK, thanks. (The BugTraq search engine wasn't working when I checked > > > > > there.) > > > > > > > > > > So it sounds pretty much like what I thought it was. I still don't > > > > > understand why Velocity wouldn't be vulnerable to this exploit. > > > > > > > > It sounds to me like it should be. From the bugtraq post, > > > > all servlets > > > > and JSPs that run in a Tomcat instance are vulnerable. Since Velocity > > > > runs under Tomcat, logically, it is vulnerable. All other claims are > > > > illogical. > > > > > > > > Kent > > > > > > > > -- > > > > To unsubscribe, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > For additional commands, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > -- > > > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > > > > > > -- > > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
