A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148.
- Posted by: Neven Cvetkovic
- Posted on: January 10 2003 11:09 EST
For more details:
My god, this is OLD news...
Is it another effort by TSS to hurt the Java community?
BTW, Tomcat's latest version is 4.1.18, and this vulnerability has also been corrected in the latest 4.0.x branch.
This vulnerabilty only allows to show the source code of JSPs. Anybody with decent Java skills would not put anything important there anyway.
And Struts users will also put their JSPs under WEB-INF/, which will protect them anyway.
And normally Tomcat would run behind Apache - the forged URL should not be forwarded to Tomcat. In my conf file it's only forwarding *.do URL for example...
Well the tom cat thing is old news ....
but this is good news .Net is dead enjoy.
"C|net is reporting that Microsoft is dropping the name "Windows .NET Server" and going back to "Windows Server 200x" (where x is currently expected to be 3). Other products with .NET in the name are also being evaluated for renaming. Analysts are being quoted as saying that slapping .NET on so many Microsoft products has confused people as to what .NET actually means. Or could it be that customers know what it means, but nobody wants to buy it?" Obiwan Kenobi points out a similar article at ENT News