Re: хохма

From

Alexandr Ishutin ()

To

Alexandr Ishutin ()

Date

2002-09-30T15:02Z

Area

RU.JAVA

From: Alexandr Ishutin <ishu@akm.ru>

Alexandr Ishutin wrote:
> Igor Goida wrote:
> 
>> Eugeny Dzhurinsky wrote:
>>
>>> ПpЮвет тебе, all!.. Дай, дyмаю, напомню о себе...
>>>
>>> === Cut ===
>>> 1. Summary
>>> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
>>> vulnerable to source code exposure by using the default servlet
>>> org.apache.catalina.servlets.DefaultServlet.
>>>
>>>
>>> 2. Details:
>>> Let say you have valid URL like http://my.site/login.jsp, then an URL
>>> like
>>> http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp 
>>>
>>> will give you the source code of  the JSP page.
>>>
>>> The full syntaxes of the exposure URL is:
>>>
>>> http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet 
>>>
>>> /[context_relative_path/]file_name.jsp
>>> === Cut ===
>>>
>>> С pегаpдами, Eugeny
>>>
>>
>> Ужас...
>> Если отключить DefaultServlet, то статика отдаваться не будет, что не 
>> есть хорошо...
>> Может кто знает, как исправить это безобразие ?
>>
> 
> Закоментировать в CATALINA_HOME/conf/web.xml надо не DefaultServlet, а 
> InvokerServlet
> 
>   <!-- The "invoker" servlet, which executes anonymous servlet 
> classes      -->
>   <!-- that have not been defined in a web.xml file.  Traditionally, 
> this   -->
>   <!-- servlet is mapped to URL pattern "/servlet/*", but you can map 
> it    -->
>   <!-- to other patterns as well.  The extra path info portion of such 
> a    -->
>   <!-- request must be the fully qualified class name of a Java class 
> that  -->
>   <!-- implements Servlet (or extends HttpServlet), or the servlet 
> name     -->
>   <!-- of an existing servlet definition.     This servlet supports 
> the     -->
>   <!-- following initialization parameters (default values are in 
> square    -->
>   <!-- 
> brackets):                                                           -->
>   
> <!--                                                                      
> -->
>   <!--   debug               Debugging detail level for messages 
> logged     -->
>   <!--                       by this servlet.  
> [0]                          -->
> 
>   <!--servlet>
>     <servlet-name>invoker</servlet-name>
>     
> <servlet-class>org.apache.catalina.servlets.InvokerServlet</servlet-class>
>     <init-param>
>       <param-name>debug</param-name>
>       <param-value>0</param-value>
>     </init-param>
>     <load-on-startup>2</load-on-startup>
>   </servlet-->
> 

Сорики, лучше коментировать не сам org.apache.catalina.servlets.InvokerServlet
а его мапинг:

   <!--servlet-mapping>
     <servlet-name>invoker</servlet-name>
     <url-pattern>/servlet/*</url-pattern>
   </servlet-mapping-->

--- ifmail v.2.15dev5
 * Origin: Demos online service (2:5020/400)