The hotfix simply disables access to Tomcat classes via the invoker. This disables the known exploit. Any other exploit of the invoker depends on how you have programmed your particular web-apps. If the invoker is enabled, than it is up to you to make certain that none of your classes can reveal sensitive information if they are loaded this way. Since this sort of analysis is time-consuming, the invoker is now disabled by default in 4.1.x.
"Peter Lee" <[EMAIL PROTECTED]> wrote in message news:3DC1FB9E.5460.792C2@;localhost... > I downloaded the hotfix for disabling the invoker servlet. > Inside the web.xml, the invoker servlet mapping was not > commented out. > Is the hotfix supposed to disable it or just work around it? > > <!-- The mapping for the invoker servlet --> > <servlet-mapping> > <servlet-name>invoker</servlet-name> > <url-pattern>/servlet/*</url-pattern> > </servlet-mapping> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
