"Mona Wong-Barnum" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Sorry, I'm a moron, I commented out the wrong section in web.xml for the > vulnerability (: > > All is well, 4.0.5 is now working for me. > > With 4.0.5, does it matter if the section in web.xml about the invoker > is commented out or not?
Disabling the Invoker provides extra security against similar exploits (although those would involve your classes, not Tomcat's [which are checked]). Of course, if you are using URLs of the form <http://myserver/myapp/servlet/MyServlet>, then you need the Invoker. In this case, you need to enable the Invoker, and make certain that none of your classes (not restricted to servlets) reveal information if invoked by http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass. > > Cheers, > > Mona > > ================================================================== > Mona Wong-Barnum > National Center for Microscopy and Imaging Research > University of California, San Diego > http://ncmir.ucsd.edu/ > > "The truth shall set you free, but first it will piss you off" > A Landmark instructor > ================================================================== -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
