Tomcat 4.0-beta-3 Released (SECURITY VULNERABILITY)

Tomcat 4.0-beta-3 is an update to the Tomcat 4.0-beta-2 distribution that was released on 30 March 2001. It fixes a further security vulnerability related to potentially exposing JSP source that was only partially corrected in beta 2. Anyone using versions of Tomcat 4.0 earlier than the beta 3 r

cvs commit: jakarta-tomcat/src/doc mod_jk-howto.html

hgomez 01/04/02 23:47:34 Modified:src/doc mod_jk-howto.html Log: Correct documentation since in mod_jk warn log level didn't exist, use info instead (half-close BUG #332) Add info about JkLogStampFormat directive Revision ChangesPath 1.7 +11 -10jakarta-to

RE: Tomcat 4.0-beta-2 Security Vulnerability

>> I suggest that we create a revised version of beta >> 2, clearly labelled so >> that people will know whether they have the >> corrected version or not -- >> and we should do this immediately (like today) to >> minimize the number of >> people who end up downloading twice. >> >> I suggest we c

Re: CGI support servlet (TC 4) -- feedback wanted

Mel Martinez wrote: > --- Bip Thelin <[EMAIL PROTECTED]> wrote: > [snip] >> >> +1 on having CGI in web.xml but commented out, >> regarding SSI I suggest >> we add a configure property(like Apaches NoExec) >> that set's whether #exec is >> allowed or not. And if that property is not set it >>

Re: CGI support servlet (TC 4) -- feedback wanted

Amy, Thanks for the feedback; see comments inline. Martin Amy Roh wrote: > Hi Martin, > > See comments below. > > Martin Dengler wrote: > [snip] >>> If so, would people prefer I do that myself and >>> submit a load of file patches for the commit of the CGI servlet & >>> related files

Re: CGI support servlet (TC 4) -- feedback wanted

Craig R. McClanahan wrote: > > On Mon, 2 Apr 2001, Amy Roh wrote: > > >> Hi Martin, >> >> See comments below. >> >> Martin Dengler wrote: >> >> [snip] >>> 1) Name, Package, and Inner Classes: >>> >>> Name: Current name is CGIGatewayServlet. The rationale is "this is the >>> first na

RE: I have got a query regarding PrintWriter,

Thank you, Dr Mel Martinez, I have tried it and it did work. I believe you have asked aw why I have gone for this solution. Well I was trying to capture all the messages sent to the Std.output stream in tomcat. The code has snippets like > java.io.PrintStream pw = new >

Re: 5 Patches ...

Hi Victor, Could you send the patches too :-) Costin On Mon, 2 Apr 2001, Vitayaudom, Victor wrote: > Please note patch 1 and especially 4. > > Just helping out. > -Victor > > > patchfile1.txt > -- > I'm interested in sending a patches to fix a problem I'm > encountering.

Re: Tomcat 4.0-beta-2 Security Vulnerability

On Tue, 3 Apr 2001, Punky Tse wrote: > > And I think it is also good to state in the mail-announcement and in the > jakarta website that the b2 have such security vulnerability when b3 is > rolled out. > It will. The beta-2 release is also going to get pulled so that no one will download it

Re: Tomcat 4.0-beta-2 Security Vulnerability

And I think it is also good to state in the mail-announcement and in the jakarta website that the b2 have such security vulnerability when b3 is rolled out. Punky - Original Message - From: "Craig R. McClanahan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 03, 2001

5 Patches ...

Title: 5 Patches ... Please note patch 1 and especially 4. Just helping out.   -Victor patchfile1.txt --   I'm interested in sending a patches to fix a problem I'm   encountering. I'm using jasper save myself deployment time by   testing the integrity of the webapp.   The

JNDI & LDAP Realm for Tomcat 4.0 & Tomcat 3.2x alpha3 available: NEED YOUR FEEDBACK!

Title: JNDI & LDAP Realm for Tomcat 4.0 & Tomcat 3.2x alpha3 available: NEED YOUR FEEDBACK! Dear tomcat users and developers, This is an implementation of JNDI and LDAP realm for Tomcat 3 and 4 I would greatly appreciate you feedback regarding its functionality. Alex Roytman download

cvs commit: jakarta-tomcat-4.0/webapps/ROOT index.html

craigmcc01/04/02 17:38:55 Modified:.RELEASE-NOTES-4.0-B3.txt catalina/src/share/org/apache/catalina Globals.java webapps/ROOT index.html Log: Updates for Tomcat 4.0-beta-3. Revision ChangesPath 1.2 +25 -1 jakarta-tomcat-4.0

cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader Extension.java

craigmcc01/04/02 16:43:37 Modified:catalina/src/share/org/apache/catalina/loader Extension.java Log: Do not throw a NullPointerException if a JAR file is missing a manifest. Revision ChangesPath 1.2 +5 -3 jakarta-tomcat-4.0/catalina/src/share/org/apache/catal

Re: Tomcat 4.0-beta-2 Security Vulnerability

On Mon, 2 Apr 2001, Mel Martinez wrote: > > --- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > > > > I suggest that we create a revised version of beta > > 2, clearly labelled so > > that people will know whether they have the > > corrected version or not -- > > and we should do this imme

Re: CGI support servlet (TC 4) -- feedback wanted

--- Bip Thelin <[EMAIL PROTECTED]> wrote: > "Craig R. McClanahan" wrote: > > > > > > > > > > 2) Addition to default context > > > > > > > > Would this CGI servlet be added to the default > context similar to > > > > SsiInvokerServlet? > > > > > > Yes. > > > > > > > I would suggest that we do th

Re: Tomcat 4.0-beta-2 Security Vulnerability

--- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > > I suggest that we create a revised version of beta > 2, clearly labelled so > that people will know whether they have the > corrected version or not -- > and we should do this immediately (like today) to > minimize the number of > people w

Re: JNDI realm for Catalina

On Mon, 2 Apr 2001, John Holman wrote: > One of the action items in the Catalina status document is a JNDI realm. > I've been working on this recently and wonder whether what I've done would > be useful to the project - though I'm not sure how best to get involved. > Incidentally, the status do

Re: Tomcat 4.0-beta-2 Security Vulnerability

- Original Message - From: "Glenn Nielsen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 03, 2001 12:39 AM Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability > Jon Stevens wrote: > > > > on 4/2/01 2:20 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > > > > >

JNDI realm for Catalina

One of the action items in the Catalina status document is a JNDI realm. I've been working on this recently and wonder whether what I've done would be useful to the project - though I'm not sure how best to get involved. Incidentally, the status document lists James W as a volunteer for this item.

Re: CGI support servlet (TC 4) -- feedback wanted

"Craig R. McClanahan" wrote: > > > > > > > 2) Addition to default context > > > > > > Would this CGI servlet be added to the default context similar to > > > SsiInvokerServlet? > > > > Yes. > > > > I would suggest that we do this, but leave it commented out. The reason > is that the potential f

Re: CGI support servlet (TC 4) -- feedback wanted

"Craig R. McClanahan" wrote: > > On Mon, 2 Apr 2001, Amy Roh wrote: > > > Hi Martin, > > > > See comments below. > > > > Martin Dengler wrote: > > > > > > 2) Addition to default context > > > > > > Would this CGI servlet be added to the default context similar to > > > SsiInvokerServlet? > > > >

Re: Tomcat 4.0-beta-2 Security Vulnerability

Jon Stevens wrote: > > on 4/2/01 2:20 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > > > I suggest that we create a revised version of beta 2, clearly labelled so > > that people will know whether they have the corrected version or not -- > > and we should do this immediately (like today

Re: Tomcat 4.0-beta-2 Security Vulnerability

on 4/2/01 2:20 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > I suggest that we create a revised version of beta 2, clearly labelled so > that people will know whether they have the corrected version or not -- > and we should do this immediately (like today) to minimize the number of > pe

Re: CGI support servlet (TC 4) -- feedback wanted

On Mon, 2 Apr 2001, Amy Roh wrote: > Hi Martin, > > See comments below. > > Martin Dengler wrote: > > > I am putting together the next round of updates to the CGIGatewayServlet > > which provides CGI capabilities (especially if you map it to /cgi-bin/* :)). > > > > Hopefully this will take i

Tomcat 4.0-beta-2 Security Vulnerability

As you've seen from bug reports to [EMAIL PROTECTED], the Beta 2 release of Tomcat 4.0 has a security vulnerability that can expose JSP file source code. A partial fix to this problem was implemented prior to shipping beta 2, but it did not deal with all possible causes. The actual bug (URL deco

cvs commit: jakarta-tomcat-4.0/tester/src/bin tester.xml

craigmcc01/04/02 14:15:49 Modified:tester/src/bin tester.xml Log: Add a test case to watch for the "double URL decode" vulnerability. Revision ChangesPath 1.26 +10 -0 jakarta-tomcat-4.0/tester/src/bin/tester.xml Index: tester.xml =

cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi SsiMediator.java

craigmcc01/04/02 14:14:33 Modified:catalina/src/share/org/apache/catalina/servlets DefaultServlet.java SsiInvokerServlet.java catalina/src/share/org/apache/catalina/util/ssi SsiMediator.java Log: Update the comments in D

Re: CGI support servlet (TC 4) -- feedback wanted

Hi Martin, See comments below. Martin Dengler wrote: > I am putting together the next round of updates to the CGIGatewayServlet > which provides CGI capabilities (especially if you map it to /cgi-bin/* :)). > > Hopefully this will take it to full beta-level; I would like to get it > to a point

Re: Behavior of new Server Side Include Functionality

"Craig R. McClanahan" wrote: > > > We can provide this option since this kind of makes sense in a web-app > > environment. However, I think the default way should be relative to the > > server's root following NCSA. What do you think? > > > > +1 on defaulting to NCSA rules, but I'd really like

Re: VHosting

Dan, STAR! :-) Thanks to you and henri for making this kick ass! cheers, -Thom, making note to liberally distribute beer to both of you if he gets the chance * Dan Milstein ([EMAIL PROTECTED]) wrote on Fri Mar 23, 2001 at 11:55:42 -0500: > Thom, > > There was vigorous back and forth about this o

jaxp1.1 and tomcat 3.2.1 ?

hi, our xml framework is build on the xerces1_2_3 and jaxp1.1. A servlet that uses our xml stuff always throws a no such method error exactly in the line of code where the method saxParser.getXMLReader() is called. I assume that the jaxp.jar file in the $(TOMCAT_HOME)/lib directory is jaxp ve

[Fwd: Re: CHINANSL Security Advisory(CSA-200108)]

Dear Apache, Further to these postings on Bugtraq, could you confirm whether this directory traversal vulnerability has indeed been fixed in the latest versions of TomCat. Kindest regards, Peter Thomas - Editor - http://www.securitywatch.com tel +32 (0)16 28 73 14 - fax +32 (0)16 28 7288

Tomcat 3.2.1 continued

Hi.   Below is a sniplet of a mail sent to Buqtraq last weekend. I've been playing around with this a bit and I discovered that you can also download files using an url like this:   http://target:8080/%2e%2e/%2e%2e%5cfilenamehere%00.jsp (%5c = "/")   this will give you the file you want.   St

FW: [shh@thathost.com: Tomcat may reveal script source code byURL trickery 2]

-- From: "Sverre H. Huseby" <[EMAIL PROTECTED]> Date: Mon, 2 Apr 2001 21:03:30 +0200 To: [EMAIL PROTECTED] Subject: [[EMAIL PROTECTED]: Tomcat may reveal script source code by URL trickery 2] Jon, I sent the following to [EMAIL PROTECTED] a few days ago, as you requested. Now I wonder

Re: [ANNOUNCE] Tomcat 4.0 Beta 2

On 2 Apr, GOMEZ Henri wrote: > The bad news came from mod_webapp which didn't compile at all on > my gcc (many bad structs declarations, missing includes in wa.h) > > Did Pier has commited all his change to cvs before beta2 was closed ? > I have seen this for quite a while(several weeks), and j

RE: [ANNOUNCE] Tomcat 4.0 Beta 2

Hi, Just finished to see how to rebuild the beta2 and I notice that many build.xml must be adapted to allow users with non-standard jar location to works. Attached are my patches. The bad news came from mod_webapp which didn't compile at all on my gcc (many bad structs declarations, missing inc

RE: CHINANSL Security Advisory(CSA-200108)

I've been trying to reproduce this using 3.2.1 on Win2000 (as the original reported stated) and so far I can't make it happen. In all cases I get a 404. I get the same results using 3.2.2b2. > -Original Message- > From: Jon Stevens [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 02, 20

Re: I have got a query regarding PrintWriter,

--- Anil <[EMAIL PROTECTED]> wrote: > I have been trying to intercept all the System.out > and System.err request > given in the tomcat. Here is the excerpts of the > Code. > > I wrote a class WSPrintStream that extends > PrintStream and overided the > commonly used println(..) statements. > >

Re: CHINANSL Security Advisory(CSA-200108)

> -- > From: Stian Myhre <[EMAIL PROTECTED]> > Reply-To: Stian Myhre <[EMAIL PROTECTED]> > Date: Mon, 2 Apr 2001 11:54:52 +0200 > To: [EMAIL PROTECTED] > Subject: Re: CHINANSL Security Advisory(CSA-200108) > > Hi all. > > It is possible not only to get the listing > but also the files. > I

FW: CHINANSL Security Advisory(CSA-200108)

-- From: Stian Myhre <[EMAIL PROTECTED]> Reply-To: Stian Myhre <[EMAIL PROTECTED]> Date: Mon, 2 Apr 2001 11:54:52 +0200 To: [EMAIL PROTECTED] Subject: Re: CHINANSL Security Advisory(CSA-200108) Hi all. It is possible not only to get the listing but also the files. If you use replace the

RE: Where the Servlet's generated from JSP's will be saved??

Thnaks a lot Emmanuel > -- > From: Emmanuel Lécharny[SMTP:[EMAIL PROTECTED]] > Reply To: [EMAIL PROTECTED] > Sent: Monday, April 02, 2001 6:25 PM > To: [EMAIL PROTECTED] > Subject: RE: Where the Servlet's generated from JSP's will be saved?? > > look at \work\l

Re: TC3.3 Proposal: Refactoring org.apache.jasper.servlet

Oh, I knew that one :( Thanks anyway, y un saludo, Alex. Steve Downey wrote: > > It's one of the alternate names for Abstract Factory, from the GoF book. AKA > toolkit. > > The idea is that you have a an abstract class with methods such as > createThing1 and createThing2, which return abstra

RE: Where the Servlet's generated from JSP's will be saved??

look at \work\localhost_8080%2Fexamples given that your installed Tomcat without modifying anyting in server.xml. Wathever, it's under \work\ Emmanuel Lécharny, IKTEK 06 08 33 32 61, www.iktek.com -Message d'origine- De : Kommineni, Sateesh (IndSys) [mailto:[EMA

Where the Servlet's generated from JSP's will be saved??

Hi, In Apache tomcat environment, where the Servlets that are generated by the JspEngine will be saved. thanks in advance... Sateesh

I have got a query regarding PrintWriter,

I have been trying to intercept all the System.out and System.err request given in the tomcat. Here is the excerpts of the Code. I wrote a class WSPrintStream that extends PrintStream and overided the commonly used println(..) statements. >

Re: [CATALINA b2] weird issue

> Craig, > > It seems that there is a bug in 4.0b2 where you must have at least one > defined in the server.xml. Is that right? It seems to me that the > system should just pick up whatever .war files are in the webapps directory > without having to define a for each one or at all. This works wi

cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets DefaultServlet.java

remm01/04/02 01:41:48 Modified:catalina/src/share/org/apache/catalina/servlets DefaultServlet.java Log: - Fixes security problem reported by Jon and an anonymous hacker. Now http://127.0.0.1:8080/examples/jsp/dates/date%252ejsp returns 404, while

cvs commit: jakarta-tomcat/src/native/mod_jk/apache2.0 mod_jk.c

hgomez 01/04/02 01:26:28 Modified:src/native/mod_jk/apache2.0 mod_jk.c Log: Correct ap_get_remote_host() for post apache 2.0 alpha-15 (Thanks to Jeff Trawick) Revision ChangesPath 1.11 +1 -4 jakarta-tomcat/src/native/mod_jk/apache2.0/mod_jk.c Index: mod

[CATALINA b2] weird issue

Craig, It seems that there is a bug in 4.0b2 where you must have at least one defined in the server.xml. Is that right? It seems to me that the system should just pick up whatever .war files are in the webapps directory without having to define a for each one or at all. This works with 3.2.2b2.