RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability

[Tim Moore <tm...@blackboard.com>]

I'm having a hard time finding many specifics about this exploit. It
sounds like you're forcing the default servlet to serve up the source
page as static content.  Why isn't Velocity vulnerable in the same way?

I'll buy that Velocity is faster than JSP, and certainly can be more
concise and readable.  I haven't seen much about security.  What makes
it more secure than JSP?
-- 
Tim Moore / Blackboard Inc. / Software Engineer
1899 L Street, NW / 5th Floor / Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863


> -----Original Message-----
> From: Jon Scott Stevens [mailto:jon@latchkey.com] 
> Sent: Tuesday, September 24, 2002 5:26 PM
> To: tomcat-dev; Tomcat Users List
> Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source 
> disclosurevulnerability
> 
> 
> on 2002/9/24 4:59 AM, "Remy Maucherat" <re...@apache.org> wrote:
> 
> > A security vulnerability has been confirmed to exist in all Apache 
> > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 
> 4.1.10), which 
> > allows to use a specially crafted URL to return the 
> unprocessed source 
> > of a JSP page, or, under special circumstances, a static resource 
> > which would otherwise have been protected by security constraint, 
> > without the need for being properly authenticated.
> 
> Once again...JSP sucks and Velocity is the right way to 
> go...you will never have to worry about your container 
> spilling your beans (pun intended).
> 
> Given that Tomcat gets around 100k+ downloads/week...imagine 
> how many servers now need to be updated and how much money 
> and time that will cost to do so?
> 
    http://jakarta.apache.org/velocity/

Wake up people. Velocity is faster and more secure than JSP will ever
be.

-jon

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>