klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
 Posted: Wed Sep 25, 2002 5:16 pm Post subject: [gentoo-announce] GLSA: tomcat |
 |
|
| Daniel Ahlberg wrote: | - - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------
PACKAGE :tomcat
SUMMARY :source exposure
DATE :2002-09-25 11:30 UTC
- - --------------------------------------------------------------------
OVERVIEW
Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to
source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet.
DETAIL
Let say you have valid URL like http://my.site/login.jsp, then an URL like
http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
will give you the source code of the JSP page.
The full syntaxes of the exposure URL is:
http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
/[context_relative_path/]file_name.jsp
More information can be found at:
http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-www/tomcat-4.04 and earlier update their systems
as follows:
emerge rsync
emerge tomcat
emerge clean
- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------
|
Mailing List Archive: http://lists.gentoo.org/pipermail/gentoo-announce/2002-September/000206.html
_________________
The problem with political jokes is that they get elected |
|
News & Announcements
