On Thu, 19 Dec 2002, Tim Moore wrote:
> Date: Thu, 19 Dec 2002 12:48:37 -0500 > From: Tim Moore <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: RE: Should not be this hard(why is this a security risk) > > > -----Original Message----- > > From: Larry Meadors [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, December 19, 2002 12:09 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Should not be this hard(why is this a security risk) > > > > > > These messages indicate that a fix is in the works: "A new > > Tomcat 4.1.x release incorporating the fix to the invoker > > servlet will be made available shortly." > > > > Am I reading this correctly as saying the quick fix is to > > disable the invoker, but the long term fix is to change the > > invoker to make the problem go away? > > Actually, it's more the other way around. > > The quick fix was to patch the invoker servlet so that it doesn't allow > you to invoke built-in servlets (such as the DefaultServlet). That > eliminates the specific JSP source vulnerability that was reported in > those messages. > > However, other servlets could have analogous problems. If for some > reason you write a custom servlet that serves file content, for example, > it could be vulnerable. Worse, any third-party servlets in your > classpath can be executed, regardless of whether you actually use them > or not in your application. All things said, the invoker servlet is a > liability, and it's certainly not necessary in any case. It's best to > use explicit mappings. > I agree with the above. For those who have existing applications based on "/servlet/foo" type URLs, you can emulate what the invoker servlet does by defining your servlet mappings cleverly. Assume you've got servlet classes "com.mypackage.Foo" and "com.mypackage.Bar" that you access with URLs like "/servlet/com.mypackage.Foo" and "/servlet.mypackage.Bar". Adding the following to your web.xml will make those URLs work just as before without adding the vulnerability: <servlet> <servlet-name>foo</servlet-name> <servlet-class>com.mypackage.Foo</servlet-class> </servlet> <servlet> <servlet-name>bar</servlet-name> <servlet-class>com.mypackage.Bar</servlet-class> </servlet> <servlet-mapping> <servlet-name>foo</servlet-name> <url-pattern>/servlet/com.mypackage.Foo/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>bar</servlet-name> <url-pattern>/servlet/com.mypackage.Bar/*</url-pattern> </servlet-mapping> Of course, you can also map your servlets to any other context-relative URL that you like, so you can make the URLs your users see prettier. > -- > Tim Moore / Blackboard Inc. / Software Engineer > 1899 L Street, NW / 5th Floor / Washington, DC 20036 > Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>