They also changed the InvokerServlet so that it can't be used to invoke other built-in servlets (including the DefaultServlet). So even if you uncomment the invoker servlet, you still won't be vulnerable to this specific exploit.
There might be other ways in which your site is vulnerable to invoker servlet exploits, however. It's best to try to disable it if possible. One thing that might work (though I haven't tried it) is to explicitly map your servlets to the names they would be invoked as. For example, if you have a servlet com.mycompany.MyServlet that you were invoking as: http://www.mycompany.com/myapp/servlet/com.mycompany.MyServlet you should be able to add this to your myapp's web.xml: <servlet> <servlet-name>MyServlet</servlet-name> <servlet-class>com.mycompany.MyServlet</servlet-class> </servlet> ... <servlet-mapping> <servlet-name>MyServlet</servlet-name> <url-pattern>/servlet/com.mycompany.MyServlet</url-pattern> </servlet-mapping> and repeat that for all of the other servlets you use. I think this would do the trick and you could then disable the invoker servlet. But, as I said, I haven't actually tried this, and obviously you would need to be able to catalog all of the servlets that your application was using. -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > -----Original Message----- > From: Brad Plies [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 25, 2002 6:53 PM > To: [EMAIL PROTECTED] > Subject: Jsp source disclosure patch for legacy type 1 architectures > > > I am not sure about the process of offering patches & > workarounds, but anyway, according to > http://jakarta.apache.org/site/news.html#0924.1 the latest > patch is actually only a disabling of the Invoker servlet. > However some people with old code that who are relying on the > Invoker servlet and cannot disable it w/o breaking their site > are still exposed. > > I have posted my own custom hack to solve this > problem, and it can be found here > http://www.jguru.com/forums/view.jsp?EID=> 1004251 > > Someone > please gently correct me with any mistakes > I > have made, I'm just trying to be helpful here. > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
