Re: хохма

From

Igor Goida ()

To

Alexandr Ishutin ()

Date

2002-09-30T15:12:18Z

Area

RU.JAVA

From: Igor Goida <i@bansite.ru>

Alexandr Ishutin wrote:
> Alexandr Ishutin wrote:
> 
>> Igor Goida wrote:
>>
>>> Eugeny Dzhurinsky wrote:
>>>
>>>> ПpЮвет тебе, all!.. Дай, дyмаю, напомню о себе...
>>>>
>>>> === Cut ===
>>>> 1. Summary
>>>> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
>>>> vulnerable to source code exposure by using the default servlet
>>>> org.apache.catalina.servlets.DefaultServlet.
>>>>
>>>>
>>>> 2. Details:
>>>> Let say you have valid URL like http://my.site/login.jsp, then an URL
>>>> like
>>>> http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp 
>>>>
>>>> will give you the source code of  the JSP page.
>>>>
>>>> The full syntaxes of the exposure URL is:
>>>>
>>>> http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet 
>>>>
>>>> /[context_relative_path/]file_name.jsp
>>>> === Cut ===
>>>>
>>>> С pегаpдами, Eugeny
>>>>
>>>
>>> Ужас...
>>> Если отключить DefaultServlet, то статика отдаваться не будет, что не 
>>> есть хорошо...
>>> Может кто знает, как исправить это безобразие ?
>>>
>>
>> Закоментировать в CATALINA_HOME/conf/web.xml надо не DefaultServlet, а 
>> InvokerServlet
>>
>>   <!-- The "invoker" servlet, which executes anonymous servlet 
>> classes      -->
>>   <!-- that have not been defined in a web.xml file.  Traditionally, 
>> this   -->
>>   <!-- servlet is mapped to URL pattern "/servlet/*", but you can map 
>> it    -->
>>   <!-- to other patterns as well.  The extra path info portion of such 
>> a    -->
>>   <!-- request must be the fully qualified class name of a Java class 
>> that  -->
>>   <!-- implements Servlet (or extends HttpServlet), or the servlet 
>> name     -->
>>   <!-- of an existing servlet definition.     This servlet supports 
>> the     -->
>>   <!-- following initialization parameters (default values are in 
>> square    -->
>>   <!-- 
>> brackets):                                                           -->
>>   
>> <!--                                                                      
>> -->
>>   <!--   debug               Debugging detail level for messages 
>> logged     -->
>>   <!--                       by this servlet.  
>> [0]                          -->
>>
>>   <!--servlet>
>>     <servlet-name>invoker</servlet-name>
>>     
>> <servlet-class>org.apache.catalina.servlets.InvokerServlet</servlet-class> 
>>
>>     <init-param>
>>       <param-name>debug</param-name>
>>       <param-value>0</param-value>
>>     </init-param>
>>     <load-on-startup>2</load-on-startup>
>>   </servlet-->
>>
> 
> Сорики, лучше коментировать не сам 
> org.apache.catalina.servlets.InvokerServlet
> а его мапинг:
> 
>   <!--servlet-mapping>
>     <servlet-name>invoker</servlet-name>
>     <url-pattern>/servlet/*</url-pattern>
>   </servlet-mapping-->
> 

Спасибо

-- 
С уважением,
Игорь Гойда
i@bansite.ru

--- ifmail v.2.15dev5
 * Origin: Demos online service (2:5020/400)