> -----Original Message----- > From: Larry Meadors [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 19, 2002 12:09 PM > To: [EMAIL PROTECTED] > Subject: RE: Should not be this hard(why is this a security risk) > > > These messages indicate that a fix is in the works: "A new > Tomcat 4.1.x release incorporating the fix to the invoker > servlet will be made available shortly." > > Am I reading this correctly as saying the quick fix is to > disable the invoker, but the long term fix is to change the > invoker to make the problem go away?
Actually, it's more the other way around. The quick fix was to patch the invoker servlet so that it doesn't allow you to invoke built-in servlets (such as the DefaultServlet). That eliminates the specific JSP source vulnerability that was reported in those messages. However, other servlets could have analogous problems. If for some reason you write a custom servlet that serves file content, for example, it could be vulnerable. Worse, any third-party servlets in your classpath can be executed, regardless of whether you actually use them or not in your application. All things said, the invoker servlet is a liability, and it's certainly not necessary in any case. It's best to use explicit mappings. -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > > Larry > > >>> [EMAIL PROTECTED] 12/19/02 09:38 AM >>> > See these messages: > http://www.mail-archive.com/announcements@jakarta.apache.org/msg00122.ht ml http://www.mail-archive.com/announcements@jakarta.apache.org/msg00128.ht ml -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>