Bugtraq mailing list archives

RE: JSP source code exposure in Tomcat 4.x

From: "Martin Robson" <bugtraq () radialsoftware com>
Date: Tue, 24 Sep 2002 17:43:21 -0700


No your best bet is to comment out the following line (and no it won't
be all on one line) from your web.xml file then schedule to upgrade to
Tomcat 4.1.12 Stable or Tomcat 4.0.5.

<servlet-mapping> <servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern> </servlet-mapping> 

The Jakarta Team has already posted a response to this bug, it can be
viewed here: http://jakarta.apache.org/site/news.html

------------------
Martin Robson
Radial Software Development Inc.
Direct - (604) 868-1503
Main - (604) 692-5971
martin () radialsoftware com
 
http://www.radialsoftware.com
 


-----Original Message-----
From: Marcin Jackowski [mailto:master () px pl] 
Sent: Tuesday, September 24, 2002 12:30 PM
To: bugtraq () securityfocus com
Subject: Re: JSP source code exposure in Tomcat 4.x


[...]


      3.2 Workaround:

[...]

Quicker (brute) method - remove completely
$TOMCAT_HOME/server/lib/servlets-default.jar.
The server complains but applications seem to work correctly (unless
you're using it).

Stated for Tomcat version 4.0.1, 4.0.4 and 4.1.10.

Marcin Jackowski

Current thread:

JSP source code exposure in Tomcat 4.x Rossen Raykov (Sep 24)
- Re: JSP source code exposure in Tomcat 4.x DominusQ (Sep 24)
- Re: JSP source code exposure in Tomcat 4.x Marcin Jackowski (Sep 24)
  - RE: JSP source code exposure in Tomcat 4.x Martin Robson (Sep 25)