[27179] in bugtraq
RE: JSP source code exposure in Tomcat 4.x
daemon@ATHENA.MIT.EDU (Martin Robson)
Wed Sep 25 11:52:58 2002
From: "Martin Robson" <bugtraq@radialsoftware.com>
To: "'Marcin Jackowski'" <master@px.pl>, <bugtraq@securityfocus.com>
Date: Tue, 24 Sep 2002 17:43:21 -0700
Message-ID: <000001c2642c$92bfb0d0$1e375418@home>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.LNX.4.21.0209242123300.29513-100000@px.pl>
No your best bet is to comment out the following line (and no it won't
be all on one line) from your web.xml file then schedule to upgrade to
Tomcat 4.1.12 Stable or Tomcat 4.0.5.
<servlet-mapping> <servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern> </servlet-mapping>
The Jakarta Team has already posted a response to this bug, it can be
viewed here: http://jakarta.apache.org/site/news.html
------------------
Martin Robson
Radial Software Development Inc.
Direct - (604) 868-1503
Main - (604) 692-5971
martin@radialsoftware.com
http://www.radialsoftware.com
-----Original Message-----
From: Marcin Jackowski [mailto:master@px.pl]
Sent: Tuesday, September 24, 2002 12:30 PM
To: bugtraq@securityfocus.com
Subject: Re: JSP source code exposure in Tomcat 4.x
[...]
>
> 3.2 Workaround:
[...]
Quicker (brute) method - remove completely
$TOMCAT_HOME/server/lib/servlets-default.jar.
The server complains but applications seem to work correctly (unless
you're using it).
Stated for Tomcat version 4.0.1, 4.0.4 and 4.1.10.
Marcin Jackowski
