On Thu, 26 Sep 2002, Scott Eade wrote:
> > From: "Dan K." <[EMAIL PROTECTED]> > > > > Hi fellow turbine users, > > > > Just to inform all those who use Jakarta Turbine (we use v2.1), the recent > > vulnerability advisory for "Tomcat 4.x JSP source exposure security > > advisory" applies because it also reveals template source (which isn't > > too big a deal as long as no sensitive info is stored in there, but > > still), which means it also reveals any file in *ANY* directory under your > > webapp directory (/WEB-INF/ seems to be protected fine though). I was > > able to test and confirm this on Tomcat 4.0.4. > > > > Please consult the advisory for fixes and work-arounds. Here's the link to > > the announcement on the tomcat-user mailing list. > > > > http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg67053.html > > > > Regards, > > Dan > > Thanks Dan - very useful post. > > > Cheers, > > Scott You're welcome! I thought it would've been useful to all of us. I originally thought it wouldn't have affected us because the advisory only mentioned JSP. Luckily I decided to dig deeper! :) Regards, Dan -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
