DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365 JSP source disclosure vulnerability not fixed when invoking servlets by name Summary: JSP source disclosure vulnerability not fixed when invoking servlets by name Product: Tomcat 4 Version: 4.1.12 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The fix for the JSP source disclosure security hole is incomplete. Currently, it rejects servlet names starting with org.apache.catalina, but this solution fails to take into account the fact that servlets can be invoked by their name, and not just their class name. To see an example of this, on a stock 4.1.12 installation, uncomment the invoker servlet mapping in the default web.xml and go to this URL: http://localhost:8080/examples/servlet/default/jsp/snp/snoop.jsp The important part is the "/servlet/default" fragment, which will bypass the new security checks and invoke the default servlet. Although this is less of a problem than the one discovered originally (since the servlet mapping is commented out by default) I believe that a lot of people using Tomcat are relying on the invoker servlet, and so uncommented the mapping in their 4.0.5 and 4.1.12 installations. Therefore there's reason to believe that there are still a large number of vulnerable servers out there. I haven't tested this on 4.0.5, but I'm assuming that it's also vulnerable. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
