Re: хохма

From

Alexandr Ishutin ()

To

Igor Goida ()

Date

2002-09-30T14:57:55Z

Area

RU.JAVA

From: Alexandr Ishutin <ishu@akm.ru>

Igor Goida wrote:
> Eugeny Dzhurinsky wrote:
> 
>> ПpЮвет тебе, all!.. Дай, дyмаю, напомню о себе...
>>
>> === Cut ===
>> 1. Summary
>> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
>> vulnerable to source code exposure by using the default servlet
>> org.apache.catalina.servlets.DefaultServlet.
>>
>>
>> 2. Details:
>> Let say you have valid URL like http://my.site/login.jsp, then an URL
>> like
>> http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp 
>>
>> will give you the source code of  the JSP page.
>>
>> The full syntaxes of the exposure URL is:
>>
>> http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet 
>>
>> /[context_relative_path/]file_name.jsp
>> === Cut ===
>>
>> С pегаpдами, Eugeny
>>
> 
> Ужас...
> Если отключить DefaultServlet, то статика отдаваться не будет, что не 
> есть хорошо...
> Может кто знает, как исправить это безобразие ?
> 

Закоментировать в CATALINA_HOME/conf/web.xml надо не DefaultServlet, а 
InvokerServlet

   <!-- The "invoker" servlet, which executes anonymous servlet classes      -->
   <!-- that have not been defined in a web.xml file.  Traditionally, this   -->
   <!-- servlet is mapped to URL pattern "/servlet/*", but you can map it    -->
   <!-- to other patterns as well.  The extra path info portion of such a    -->
   <!-- request must be the fully qualified class name of a Java class that  -->
   <!-- implements Servlet (or extends HttpServlet), or the servlet name     -->
   <!-- of an existing servlet definition.     This servlet supports the     -->
   <!-- following initialization parameters (default values are in square    -->
   <!-- brackets):                                                           -->
   <!--                                                                      -->
   <!--   debug               Debugging detail level for messages logged     -->
   <!--                       by this servlet.  [0]                          -->

   <!--servlet>
     <servlet-name>invoker</servlet-name>
     <servlet-class>org.apache.catalina.servlets.InvokerServlet</servlet-class>
     <init-param>
       <param-name>debug</param-name>
       <param-value>0</param-value>
     </init-param>
     <load-on-startup>2</load-on-startup>
   </servlet-->

--- ifmail v.2.15dev5
 * Origin: Demos online service (2:5020/400)