Bugtraq mailing list archives
RE: JSP source code exposure in Tomcat 4.x
From: "Martin Robson" <bugtraq () radialsoftware com>
Date: Tue, 24 Sep 2002 17:43:21 -0700
No your best bet is to comment out the following line (and no it won't be all on one line) from your web.xml file then schedule to upgrade to Tomcat 4.1.12 Stable or Tomcat 4.0.5. <servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping> The Jakarta Team has already posted a response to this bug, it can be viewed here: http://jakarta.apache.org/site/news.html ------------------ Martin Robson Radial Software Development Inc. Direct - (604) 868-1503 Main - (604) 692-5971 martin () radialsoftware com http://www.radialsoftware.com -----Original Message----- From: Marcin Jackowski [mailto:master () px pl] Sent: Tuesday, September 24, 2002 12:30 PM To: bugtraq () securityfocus com Subject: Re: JSP source code exposure in Tomcat 4.x [...]
3.2 Workaround:
[...] Quicker (brute) method - remove completely $TOMCAT_HOME/server/lib/servlets-default.jar. The server complains but applications seem to work correctly (unless you're using it). Stated for Tomcat version 4.0.1, 4.0.4 and 4.1.10. Marcin Jackowski
Current thread:
- JSP source code exposure in Tomcat 4.x Rossen Raykov (Sep 24)
- Re: JSP source code exposure in Tomcat 4.x DominusQ (Sep 24)
- Re: JSP source code exposure in Tomcat 4.x Marcin Jackowski (Sep 24)
- RE: JSP source code exposure in Tomcat 4.x Martin Robson (Sep 25)