On Tuesday 24 September 2002 05:26 pm, Jon Scott Stevens wrote: > on 2002/9/24 4:59 AM, "Remy Maucherat" <[EMAIL PROTECTED]> wrote: > > A security vulnerability has been confirmed to exist in all Apache > > Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which > > allows to use a specially crafted URL to return the unprocessed source > > of a JSP page, or, under special circumstances, a static resource which > > would otherwise have been protected by security constraint, without the > > need for being properly authenticated. > > Once again...JSP sucks and Velocity is the right way to go...you will never > have to worry about your container spilling your beans (pun intended). > Perhaps you would prefer this exploit?
http://localhost:8080/velexample/servlet/org.apache.catalina.servlets.DefaultServlet/sample.vm Horrors! Velocity is insecure! The DefaultServlet exploit is a general security problem in Tomcat. JSP may be somewhat more vulnerable, due to the (somewhat naieve) expectation that the source will be confidential, but it's not really JSP per se that is at fault. I wonder what could be done with the CGIServlet, for example. The root cause is the InvokerServlet. It's inherently insecure. It can be used not just to execute an arbitrary servlet, but to actually load any java class. And loading a class is not side-effect free. > Given that Tomcat gets around 100k+ downloads/week...imagine how many > servers now need to be updated and how much money and time that will cost > to do so? > > http://jakarta.apache.org/velocity/ > > Wake up people. Velocity is faster and more secure than JSP will ever be. As long as it's running on an insecure container, it's really no safer. > > -jon -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
