DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13578>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13578 Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11 releases Summary: Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11 releases Product: Tomcat 4 Version: 4.1.11 Platform: All URL: http://www.ultranet.tv OS/Version: All Status: NEW Severity: Critical Priority: Other Component: Catalina:Modules AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Guys, you have offered a solution for 4.0.5, and ONLY IMPLICITLY for 4.1.12 for the jsp disclosure bug: downloading a new web.xml file. We had to unsuccessfully try re-installing the server before we found out that the solution doesn't really require that. Millions of people running other 4.x versions (exluding 4.0.6) have only 2 choices: 1) disable all non-custom-named servlets 2) upgrade the server immediately Well, we couldn't upgrade just like that. We have some changes that need to be made first (or perhaps there is another Unicode-related bug in 4.1.12). I suggest 2 solutions here, and very much hope that you list these as an option for non-4.0.5-4.0.6-4.1.12 users: A. 1) download servlets-invoker.jar from 4.1.12 installation (will be attached at a later message marked A.) (or equivalent) into $CATALINA_HOME/server/lib/. 2) download http://jakarta.apache.org/builds/jakarta-tomcat- 4.0/release/v4.0.5/bin/hotfix/13365.zip, unzip it, and put web.xml (will be attached at a later message marked A.) into $CATALINA_HOME/conf This solution has none of my code. Although it did take a while to figure things out. Totally trustworthy. It generates 404 error (Not Found) for all hacking requests. B. 1) Putting web.xml modified by me that will be attached in later message marked B. (or equivalent) into $CATALINA_HOME/conf/ folder. The only changes i made to web.xml are: ... <servlet> <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <!-- Name a dummy servlet, so that hacking requests can be forwarded to it --> <servlet> <servlet-name>AntiHacker</servlet-name> <servlet-class>rs.security.SourceDisclosure</servlet-class> </servlet> ... <!-- Send hacking requests to this servlet and thus prevent source disclosure - -> <servlet-mapping> <servlet-name>AntiHacker</servlet-name> <url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url- pattern> </servlet-mapping> 2) Optional: Putting SourceDisclosure.class will be attached in later message marked B. (or equivalent) into WEB-INF/classes/rs/security/ folder of each application. It has to be rs/security/ because that's how I compiled it. Equivalents can be made differently. It is optional: if it's not there in an application, then no source will be shown, but instead a 503 (Service Unavailable) error message will pop up, which makes no harm to the server, and prevents the hacking. The class does nothing but printing " All right, now we can report the IP address of the criminal who's been hacking Java servers all over the Internet to the Interpol: 127.0.0.1" :) Btw, it would very useful if the simplicity of such solution(s) was expressed on a seeable place in Tomcat pages. It took quite a few hours to figure these things out. Thanks, r -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
