I'm forwarding this just in case someone *NOT* on the [EMAIL PROTECTED] could be affected by it...
Peace! James Mitchell > -----Original Message----- > From: Remy Maucherat [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 24, 2002 7:59 AM > To: Tomcat Developers List; Tomcat Users List; announcements > Subject: [SECURITY] Apache Tomcat 4.x JSP source disclosure > vulnerability > > > A security vulnerability has been confirmed to exist in all Apache > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which > allows to use a specially crafted URL to return the unprocessed source > of a JSP page, or, under special circumstances, a static resource which > would otherwise have been protected by security constraint, without the > need for being properly authenticated. > > The cause > --------- > > Using the invoker servlet in conjunction with the default servlet > (responsible for handling static content in Tomcat) triggers this > vulnerability. This particular configuration is available in the default > Tomcat configuration. > > Workarounds > ----------- > > An easy workaround exists for existing Tomcat installations, by > disabling the invoker servlet in the default webapp configuration. > > In the $CATALINA_HOME/conf/web.xml file (on Windows, > %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML > fragment: > > <servlet-mapping> > <servlet-name>invoker</servlet-name> > <url-pattern>/servlet/*</url-pattern> > </servlet-mapping> > > Releases > -------- > > The Apache Tomcat Team announces the immediate availability of new > releases which include a fix to the invoker servlet. > > Apache Tomcat 4.1.12 Stable: > http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/ > > Apache Tomcat 4.0.5: > http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/ > > Remy > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
