I did see my JSP source whe I tried this bug (Tomcat 4.0.4/Apache 2.0.40). I just deleted my JKMount to servlet and mapped only the applications being used as mentioned in this group and now I can no longer see my JSP source with this method.
I'll eventually move to Tomcat 4.0.5 but I wanted to apply some security immediately. -- carrie s. On Wed, Sep 25, 2002 at 03:15:31PM -0700, Mona Wong-Barnum wrote: > > I tried to test this security vulnerability on my tomcat 4.0.4 (alone) > setup but wasn't able to view my JSP files as claimed. > > According to > http://online.securityfocus.com/archive/1/292936/2002-09-21/2002-09-27/0, if my > JSP file is accessible via http://donor.ucsd.edu:7873/ccdb/experiment/index.jsp > then I should be able to view my source. However, I tried 2 different URL > (http://donor.ucsd.edu:7873/ccdb/experiment/org.apache.catalina.servlets.Default > Servlet/index.jsp and > http://donor.ucsd.edu:7873/org.apache.catalina.servlets.DefaultServlet/ccdb/expe > riment/index.jsp) and all I got was a tomcat 404 error page. > > Has anyone actually been able to view their JSP source via this > vulnerability? > > Mona > > ================================================================== > Mona Wong-Barnum > National Center for Microscopy and Imaging Research > University of California, San Diego > http://ncmir.ucsd.edu/ > > "The truth shall set you free, but first it will piss you off" > A Landmark instructor > ================================================================== > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>