You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Milt Epstein <me...@uiuc.edu> on 2002/09/26 16:10:32 UTC
RE: Questions about " [SECURITY] Apache Tomcat 4.x JSP source dis
closure vulnerability"
On Thu, 26 Sep 2002, Andreas Mohrig wrote:
> The servlet to be disabled is the invoker servlet, not the
> DefaultServlet. The reason you see "DefaultServlet" so much in
> these postings is that the DefaultServlet can be "tricked" into
> serving the sources of your jsp's by invoking it over the invoker
> servlet, thereby treating jsp's like static content. But the trouble
> is originating in the invoker servlet.
Right. And to add a bit of perhaps clarifying information, "invoking"
in this context means calling a servlet using a URL of the form:
http://www.domain.com/context/servlet/full.class.name.of.servlet
that is, "/servlet" is a virtual directory that invokes the invoker
servlet, and "full.class.name.of.servlet" includes the package and
class name of the servlet class. This was the main/only way of
calling servlets way back when, but now the favored way is to define
servlets in web.xml. And some say this invoking method of calling
servlets should be disabled as a security precaution anyway, and only
defined servlets should be allowed (i.e., even before this bug showed
up).
This is all controlled by a servlet definition and mapping in the
web.xml (in Tomcat 4.0.X, at least, and I assume 4.1.X as well) --
look for "invoker" in it.
> -----Original Message-----
> From: Adam Greene [mailto:agreene@romulin.com]
> Sent: Thursday, September 26, 2002 2:47 PM
> To: Tomcat Users List
> Subject: Questions about " [SECURITY] Apache Tomcat 4.x JSP source
> disclosure vulnerability"
>
> Maybe I don't understand, but DefaultServlet, which is supposed to
> serve static content is disabled... How are we supposed to serve up
> pictures, etc that are static??
Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>