FYI

-----Original Message-----
From: Remy Maucherat [mailto:remm@apache.org]
Sent: Wednesday, October 09, 2002 9:08 AM
To: Tomcat Developers List; Tomcat Users List; announcements
Subject: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability; Apache Tomcat 4.0.6 released


A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.

The cause
---------

Using the invoker servlet in conjunction with the default servlet
(responsible for handling static content in Tomcat) triggers this
vulnerability.

Who is vulnerable
-----------------

- All Tomcat 4.0.x releases, except those in which the invoker servlet
is disabled (this is not the default setting).
- All Tomcat 4.1.x releases before 4.1.12, except those in which the
invoker servlet is disabled (this is not the default setting), as
well as 4.1.12 if and only if the invoker servlet has been enabled.
The default Tomcat 4.1.12 installation is not vulnerable.

Fixes and workarounds
---------------------

Doing either of the following will resolve the security problem:

A) Disabling the invoker servlet

In the $CATALINA_HOME/conf/web.xml file (on Windows,
%CATALINA_HOME%\conf\web.xml), comment out or remove the following
XML fragment:

      <servlet-mapping>
          <servlet-name>invoker</servlet-name>
          <url-pattern>/servlet/*</url-pattern>
      </servlet-mapping>

B) If running any Tomcat 4.0.x releases, download and install the
following binary patch:

http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfi
x/13365.zip

Simply unzip the archive in the $CATALINA_HOME folder (on Windows
%CATALINA_HOME%). Make sure paths are preserved when unzipping. The
patch will overwrite the default webapp configuration file
($CATALINA_HOME/conf/web.xml) to add a workaround to protect
against the security vulnerability.

C) If running Tomcat 4.1.12 and the invoker servlet was enabled, it must
be disabled at this time. A new Tomcat 4.1.x release incorporating
the fix to the invoker servlet will be made available shortly.

D) If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6.

New release
-----------

The Apache Tomcat Team announces the immediate availability of
a new release which includes a fix to the invoker servlet.

Apache Tomcat 4.0.6:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/

Remy


--
To unsubscribe, e-mail:
<mailto:announcements-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:announcements-help@jakarta.apache.org>


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.