Tim Funk wrote: > Would the following be vulnerable? > 1) Use Jk only > 2) do NOT use --> JkMount /servlet/* loadbalancer > 3) But the invoker mapping is enabled > > Would they be vulnerable? I personally don't see a security flaw in this > config. But does Jk also look for the text "jsessionid" being passed in > the URL and automagically pass it along to tomcat? AFAIK - I thought a > Rewrite rule needed to be added to have that behavior.
If you do end up passing any <context>/servlet/* URLs to Tomcat, then you're safe. However, I would still edit conf/web.xml as explained in the advisory to make sure there are no problems in the future. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>