Bugtraq mailing list archives
GLSA: tomcat
From: Daniel Ahlberg <aliz () gentoo org>
Date: Wed, 25 Sep 2002 14:09:50 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - - -------------------------------------------------------------------- PACKAGE :tomcat SUMMARY :source exposure DATE :2002-09-25 11:30 UTC - - -------------------------------------------------------------------- OVERVIEW Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. DETAIL Let say you have valid URL like http://my.site/login.jsp, then an URL like http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp will give you the source code of the JSP page. The full syntaxes of the exposure URL is: http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet /[context_relative_path/]file_name.jsp More information can be found at: http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0 SOLUTION It is recommended that all Gentoo Linux users who are running net-www/tomcat-4.04 and earlier update their systems as follows: emerge rsync emerge tomcat emerge clean - - -------------------------------------------------------------------- aliz () gentoo org - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9kaeOfT7nyhUpoZMRAjecAJwLLkCyj/iVWlRFN+1RrzR4oo9dlQCgi1PV DTRyRrBXhKFbP7+ScPIx2A8= =S0kw -----END PGP SIGNATURE-----
Current thread:
- GLSA: tomcat Daniel Ahlberg (Sep 25)