RE: JSP source being shown (not being executed)

iginal Message- > From: Michael Mehrle [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 08, 2004 2:44 PM > To: Tomcat Users List > Subject: Re: JSP source being shown (not being executed) > > > Actually, I'm not running Apache right now. This has something > to do wi

RE: JSP source being shown (not being executed)

out the permission of the sender. If you received this message in > error, > please notify me immediately so that I can correct and delete the original > email. Thank you. > > :: -Original Message- > :: From: Schalk [mailto:[EMAIL PROTECTED] > :: Sent: Tuesday, June 08,

RE: JSP source being shown (not being executed)

original email. Thank you. :: -Original Message- :: From: Schalk [mailto:[EMAIL PROTECTED] :: Sent: Tuesday, June 08, 2004 9:27 PM :: To: 'Tomcat Users List' :: Subject: RE: JSP source being shown (not being executed) :: :: I stand under correction but, it may even be that this not

RE: JSP source being shown (not being executed)

: Re: JSP source being shown (not being executed) :: :: Actually, I'm not running Apache right now. This has something to do with my :: servlet context (*.html) not being sent to the JSP engine - it's treating it :: like regular HTML right now. Strange, since my other mappings seem to wo

Re: JSP source being shown (not being executed)

Users List'" <[EMAIL PROTECTED]> Sent: Tuesday, June 08, 2004 11:50 AM Subject: RE: JSP source being shown (not being executed) > I have seen that before with JDK not in the system path. > > -Original Message- > From: Michael Mehrle [mailto:[EMAIL PROTECTED] >

RE: JSP source being shown (not being executed)

I have seen that before with JDK not in the system path. -Original Message- From: Michael Mehrle [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 08, 2004 2:44 PM To: Tomcat Users List Subject: Re: JSP source being shown (not being executed) Actually, I'm not running Apache right now.

Re: JSP source being shown (not being executed)

m: "Schalk" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Tuesday, June 08, 2004 11:23 AM Subject: RE: JSP source being shown (not being executed) Just a thought but, if you are running both Apache and Tomcat, Apache is probably pic

RE: JSP source being shown (not being executed)

Users List :: Subject: JSP source being shown (not being executed) :: :: For some reason my JSP source is being shown - it's not being compiled and :: executed. It might be worthwhile mentioning that I am mapping some servlet :: context as *.html, which redirects to this jsp - but it worked in an

JSP source being shown (not being executed)

For some reason my JSP source is being shown - it's not being compiled and executed. It might be worthwhile mentioning that I am mapping some servlet context as *.html, which redirects to this jsp - but it worked in another app of mine and inside my new app it doesn't work. I'm

RE: Mozilla showing JSP source code

27;m not going to argue with success. Thanks, Jeff (and all others who offered a suggestion.) > > Good luck, > > Jeff > > > -Original Message- > From: Guy Rouillier [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 5:36 PM > To: Tomcat Users List >

Re: Mozilla showing JSP source code

ot;Guy Rouillier" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, January 20, 2004 8:44 AM Subject: RE: Mozilla showing JSP source code Sean Utt wrote: > Hi, > > I used to see this when doing a response.sendRedirect() > without

RE: Mozilla showing JSP source code

erly. Found some examples on the web, but can't get them to work. I'll keep plugging away. > > Good luck, > > Jeff > > > -Original Message- > From: Guy Rouillier [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 5:36 PM > To: Tomc

RE: Mozilla showing JSP source code

Sean Utt wrote: > Hi, > > I used to see this when doing a response.sendRedirect() > without following it with a return(), but didn't see jsp > source, just html source. I did have a problem with mod_jk > showing .jsp source when the URI contained a // in the path > l

RE: Mozilla showing JSP source code

Getting off the topic of visible JSP source here, but ... Note that an HTTP redirect isn't just an additional header, it also means a different response status (302 Moved Temporarily instead of 200 OK). I was under the impression that calling response.sendRedirect cleared the buffer and c

Re: Mozilla showing JSP source code

Hi, I used to see this when doing a response.sendRedirect() without following it with a return(), but didn't see jsp source, just html source. I did have a problem with mod_jk showing .jsp source when the URI contained a // in the path like http://dom.ain/context//file.jsp, but that sounds l

RE: Mozilla showing JSP source code

t: Mozilla showing JSP source code I've tried to do due diligence on this issue, searching the archives as well as Google. I'm sure it is a common problem, but I found several questions and no definitive responses, so here goes. Our website works fine with IE, but we're having a

Mozilla showing JSP source code

I've tried to do due diligence on this issue, searching the archives as well as Google. I'm sure it is a common problem, but I found several questions and no definitive responses, so here goes. Our website works fine with IE, but we're having a significant problem with Mozilla (and derivatives li

APACHE SHOWING JSP SOURCE ONLY!

Hi i have just configured JK_MOD 1.2.3 for apache2.0.48 with Tomcat 4.1.29 on RH 9.0. When i run my web apps from apache i get to see the source code of JSP instead of the JSP page itself. How do i fix this? regards suneel

Re: JSP source compilation error

Thanks for your help Tim. From: Tim Funk <[EMAIL PROTECTED]> Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> To: Tomcat Users List <[EMAIL PROTECTED]> Subject: Re: JSP source compilation error Date: Sun, 06 Jul 2003 12:02:34 -0400 http://jakarta.apache.org/tomcat

Re: JSP source compilation error

http://jakarta.apache.org/tomcat/faq/misc.html#compile -Tim Joe McGranaghan wrote: Using tomcat 4.1.18 I get the following error when trying to view my JSP page: An error occurred at line: -1 in the jsp file: null Generated servlet error: [javac] Compiling 1 source file F:\Program Files\ja

JSP source compilation error

Using tomcat 4.1.18 I get the following error when trying to view my JSP page: An error occurred at line: -1 in the jsp file: null Generated servlet error: [javac] Compiling 1 source file F:\Program Files\jakarta-tomcat-4.1.18\jakarta-tomcat-4.1.18\work\Standalone\localhost\lul\BrowseTop_jsp

Using a different java.io.Reader to load JSP source

Hi there, is there a "official" way to change the source of a JSP page from a regular JSP file to a String read from a database? I think that Jasper uses a subclass of java.io.Reader to read the file (org.apache.jasper.compiler.JspReader) - so maybe there's a way to use a java.io.StringReader

Re: JSP source

> From: "Turner, John" <[EMAIL PROTECTED]> > Sent: Friday, January 10, 2003 5:08 AM > Subject: RE: JSP source > wget is a text-based client that can make HTTP and FTP requests, copying the > results to a file. wget is a popular program, but may not be installed on

RE: JSP source

> Hi > > I want to do some reporting that is to be called by a cron job. > > I do not want to use a reporting tool. Can use JSP > > > * to talk to the database > * fetch the relevant details > * format the details as a report > * fetch the HTML source of the generated rep

RE: JSP source

IL PROTECTED]] > Sent: Friday, January 10, 2003 4:29 AM > To: Tomcat Users List > Subject: RE: JSP source > > > Sorry for asking some dumb question. I'm not a unix person. > > What is wget and sendmail? > I cannot see those commands in UNIX. > > Thanks >

RE: JSP source

Google is your friend: http://www.google.com/search?q=wget http://www.google.com/search?q=sendmail > -Original Message- > From: Deepa Raja [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 10, 2003 10:29 AM > To: Tomcat Users List > Subject: RE: JSP source > > &g

RE: JSP source

Sorry for asking some dumb question. I'm not a unix person. What is wget and sendmail? I cannot see those commands in UNIX. Thanks Deepa -Original Message- From: Will Hartung [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 1:43 AM To: Tomcat Users List Subject: Re: JSP s

Re: JSP source

> From: "Bodycombe, Andrew" <[EMAIL PROTECTED]> > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > Subject: RE: JSP source > Fetching the HTML is straightforward. Just create a URL connection and read > the data from the stream. Yup, gre

RE: JSP source

Exactly. Something like java.net.URLConnection.getContent(), I believe. John > -Original Message- > From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 09, 2003 10:48 AM > To: 'Tomcat Users List' > Subject: RE: JSP source >

RE: JSP source

b) reads the HTML c) mails it to the intended recipients. 3. Write a cron job to run your email component Andy -Original Message- From: Deepa Raja [mailto:[EMAIL PROTECTED]] Sent: 09 January 2003 15:43 To: Tomcat Users List Subject: RE: JSP source Hi John With JSP it is like a

RE: JSP source

sage, that's different. John > -Original Message- > From: Deepa Raja [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 09, 2003 8:30 AM > To: [EMAIL PROTECTED] > Subject: JSP source > > > Hi > > I want to do some reporting that is to be called by

RE: JSP source

;s different. John > -Original Message- > From: Deepa Raja [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 09, 2003 8:30 AM > To: [EMAIL PROTECTED] > Subject: JSP source > > > Hi > > I want to do some reporting that is to be called by a cron job. >

JSP source

Hi I want to do some reporting that is to be called by a cron job. I do not want to use a reporting tool. Can use JSP * to talk to the database * fetch the relevant details * format the details as a report * fetch the HTML source of the generated report * an

[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability;Apache Tomcat 4.0.6 released

A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by

AW: JSP Source visible with mod_jk

PROTECTED]] Gesendet: Donnerstag, 3. Oktober 2002 14:23 An: [EMAIL PROTECTED] Betreff: Re: JSP Source visible with mod_jk Could you send us your httpd.conf and workers.properties setup ? -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mail

Re: JSP Source visible with mod_jk

Could you send us your httpd.conf and workers.properties setup ? -- To unsubscribe, e-mail: For additional commands, e-mail:

JSP Source visible with mod_jk

Hi, I have an application run on a TC 4.0.5 and Apache 1.3.20 with mod_jk with a ajp13 Connector. Let's say i have an url http://www.mydomain.com/mydir/index.jsp. When i enter http://www.mydomain.com/mydir/index i got the source code of this jsp. If read the security updates on http://jakarta.ap

RE: Jsp source disclosure patch for legacy type 1 architectures

Good eye! > On the other hand, the thing you posted to jguru has > the opposite > problem. You'll need to add a second servlet > mapping to the source > disclosure blocker for > /servlet/org.apache.catalina.servlets.DefaultServlet/ __ Do you Yahoo

RE: Jsp source disclosure patch for legacy type 1 architectures

2-463-4860 ext. 258 / Fax 202-463-4863 > -Original Message- > From: Brad Plies [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 25, 2002 7:26 PM > To: Tomcat Users List > Subject: RE: Jsp source disclosure patch for legacy type 1 > architectures > > > Thanks for

RE: Questions about " [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability"

controlled by a servlet definition and mapping in the web.xml (in Tomcat 4.0.X, at least, and I assume 4.1.X as well) -- look for "invoker" in it. > -Original Message- > From: Adam Greene [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 2:47 PM > To:

RE: Questions about " [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability"

reating jsp's like static content. But the trouble is originating in the invoker servlet. Andreas Mohrig -Original Message- From: Adam Greene [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:47 PM To: Tomcat Users List Subject: Questions about " [SECURITY] Apac

Re: Questions about " [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability"

The DefaultServlet is "ok". But is was being called by the invoker servlet in a roundabout (unintended manner). The invoker servlet is typically mapped to /servlet/* The invoker servlet should be disabled. Or "restricted" using many of the ways described in other threads. You should be fine a

Questions about " [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability"

Maybe I don't understand, but DefaultServlet, which is supposed to serve static content is disabled... How are we supposed to serve up pictures, etc that are static?? -- To unsubscribe, e-mail: For additional commands, e-mail:

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

Carrie Salazar wrote: > I did see my JSP source whe I tried this bug (Tomcat 4.0.4/Apache > 2.0.40). I just deleted my JKMount to servlet and mapped only > the applications being used as mentioned in this group and > now I can no longer see my JSP source with this method. > &g

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

I did see my JSP source whe I tried this bug (Tomcat 4.0.4/Apache 2.0.40). I just deleted my JKMount to servlet and mapped only the applications being used as mentioned in this group and now I can no longer see my JSP source with this method. I'll eventually move to Tomcat 4.0.5 but I want

RE: Jsp source disclosure patch for legacy type 1 architectures

ed > to be able to catalog all of the servlets that your > application was > using. > -- > Tim Moore / Blackboard Inc. / Software Engineer > 1899 L Street, NW / 5th Floor / Washington, DC 20036 > Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > > > > -Or

RE: Jsp source disclosure patch for legacy type 1 architectures

nc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > -Original Message- > From: Brad Plies [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 25, 2002 6:53 PM > To: [EMAIL PROTECTED] > Subject:

Jsp source disclosure patch for legacy type 1 architectures

I am not sure about the process of offering patches & workarounds, but anyway, according to http://jakarta.apache.org/site/news.html#0924.1 the latest patch is actually only a disabling of the Invoker servlet. However some people with old code that who are relying on the Invoker servlet and canno

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

/ 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > -Original Message- > From: Mona Wong-Barnum [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 25, 2002 6:16 PM > To: [EMAIL PROTECTED] > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

iment/index.jsp) and all I got was a tomcat 404 error page. Has anyone actually been able to view their JSP source via this vulnerability? Mona == Mona Wong-Barnum National Center for Microscopy and Im

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

I didn't test Velocity but there is not any reason that it will be resistant > > > to this exposure. > > > > > > Regards, > > > Rossen Raykov > > > > > > > -Original Message- > > > > From: Kent Perrier [mailto:[EMAIL

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerabili ty

reason that it will be resistant > > to this exposure. > > > > Regards, > > Rossen Raykov > > > > > -Original Message- > > > From: Kent Perrier [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, September 24, 2002 6:59 PM > > > To: Tomcat Users L

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

st Velocity but there is not any reason that it will be resistant > to this exposure. > > Regards, > Rossen Raykov > > > -Original Message- > > From: Kent Perrier [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, September 24, 2002 6:59 PM > >

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerabili ty

is not any reason that it will be resistant > to this exposure. > > Regards, > Rossen Raykov > > > -Original Message- > > From: Kent Perrier [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, September 24, 2002 6:59 PM > > To: Tomcat Users List > > S

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

> Sent: Tuesday, September 24, 2002 6:59 PM > To: Tomcat Users List > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source > disclosurevulnerability > > > On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: > > OK, thanks. (The BugTraq search engine wasn't working

Re: JSP source code exposure in Tomcat 4.x

> 3.2 Workaround: > There are at least two ways to protect from this vulnerability. > A. Tomcat in tandem with HTTP server front-end: > If you are using front-end HTTP server you can filter all > requests with the pattern */servlet/org.apache.catalina.servlets.DefaultServlet* > b. If you are usin

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: > OK, thanks. (The BugTraq search engine wasn't working when I checked > there.) > > So it sounds pretty much like what I thought it was. I still don't > understand why Velocity wouldn't be vulnerable to this exploit. It sounds to me lik

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > -Original Message- > From: Rossen Raykov [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 24, 2002 6:17 PM > To: 'Tomcat Users List' > Subject: RE: [SECURITY] Apache Tomcat 4

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

t Users List > Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source > disclosurevulnerability > > > I'm having a hard time finding many specifics about this exploit. It > sounds like you're forcing the default servlet to serve up the source > page as static content. W

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

. Regards, Rossen > -Original Message- > From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 24, 2002 5:26 PM > To: tomcat-dev; Tomcat Users List > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure > vulnerability > > >

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 24, 2002 5:26 PM > To: tomcat-dev; Tomcat Users List > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source > disclosurevulnerability > > > on 2002/9/24 4:59 AM, "Remy Maucherat" <[

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

ist > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure > vulnerability > > > on 2002/9/24 4:59 AM, "Remy Maucherat" <[EMAIL PROTECTED]> wrote: > > > A security vulnerability has been confirmed to exist in all Apache > > Tomcat 4.

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

on 2002/9/24 4:59 AM, "Remy Maucherat" <[EMAIL PROTECTED]> wrote: > A security vulnerability has been confirmed to exist in all Apache > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which > allows to use a specially crafted URL to return the unprocessed source > of a JSP page,

Re: JSP source code exposure in Tomcat 4.x

Veniamin Fichin wrote: > Rossen Raykov wrote: > >> Tomcat 4.x JSP source exposure security advisory >> >> 1. Summary >> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are >> vulnerable to source code e

JSP source code exposure in Tomcat 4.x

Rossen Raykov wrote: > Tomcat 4.x JSP source exposure security advisory > > 1. Summary > Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are > vulnerable to source code exposure by using the default servlet > org.apache.catalina.servlets.Default

JSP source code exposure in Tomcat 4.x

Tomcat 4.x JSP source exposure security advisory 1. Summary Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. 2. Details: Let say you have valid URL like

[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwis

Webdav: how do I get to JSP source?

... or anything else tomcat modifies during retrieve? Ray Allis

Re: Tomcat, Apache: JSP source code showed instead of generated HTML

t;> >> >>I sent mail to this mailing list a while ago stating that I could not >> >>get apache to work with tomcat... well I tried all kinds of solutions, >> >>monitored the mailing list and unfortunately I still haven?t been able >> >>to get it

Re: Tomcat, Apache: JSP source code showed instead of generated HTML

ailing list a while ago stating that I could not > >>get apache to work with tomcat... well I tried all kinds of solutions, > >>monitored the mailing list and unfortunately I still haven?t been able > >>to get it up and running. > >> > >>The problem: > >>

Re: Tomcat, Apache: JSP source code showed instead of generated HTML

inds of solutions, >>monitored the mailing list and unfortunately I still haven?t been able >>to get it up and running. >> >>The problem: >>- Requesting a JSP page by doing a request via port 8080 works fine >>- Requesting a JSP page via apache and mod_jk returns

Re: Tomcat, Apache: JSP source code showed instead of generated HTML

l I tried all kinds of solutions, > monitored the mailing list and unfortunately I still haven?t been able > to get it up and running. > > The problem: > - Requesting a JSP page by doing a request via port 8080 works fine > - Requesting a JSP page via apache and mod_jk returns

Tomcat, Apache: JSP source code showed instead of generated HTML

request via port 8080 works fine - Requesting a JSP page via apache and mod_jk returns the JSP source code Is seems that requests to JSPs are not directed to port 8007 of Tomcat. I try to give a concise description below, hopefully somebody can tell what I?m missing. It must be something simple

RE: precompile JSP with jspc & picking up changes in JSP source

They are mutually exclusive. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 16, 2001 2:01 PM > To: [EMAIL PROTECTED] > Subject: precompile JSP with jspc & picking up changes in JSP source > > > I noticed t

precompile JSP with jspc & picking up changes in JSP source

I noticed that if I precompile JSP with jspc and setup servlet mapping in web.xml, changes to the original JSP file will not be picked up by Tomcat. Can I have both or are they mutually exclusive? Bill - To unsubscribe, e-mai