хохма

From

Roman Dawydkin (2:5022/5.77)

To

All ()

Date

2002-10-01T11:10Z

Area

RU.JAVA

[Sat 28/Sep/2002 02:05] Eugeny Dzhurinsky ==> All

 ED> ПpЮвет тебе, all!.. Дай, дyмаю, напомню о себе...

    Хохмить нечего...

 ED> 1. Summary
 ED> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
 ED> vulnerable to source code exposure by using the default servlet
 ED> org.apache.catalina.servlets.DefaultServlet.

    Ну а дальше прочитать трудно было?

3. Solution:
    3.1 Upgrade to the last releases 4.0.5 and 4.1.12
        See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases.

[и это самое правильное решение]

    3.2 Workaround:
There are at least two ways to protect from this vulnerability.
    A. Tomcat in tandem with HTTP server front-end:
        a. If you are using front-end HTTP server you can filter all
requests with the pattern
*/servlet/org.apache.catalina.servlets.DefaultServlet*
        b. If you are using mod_jk to connect tomcat to you front-end server map to Tomcat only the URL's that are part from you application but not all request. See the usage of JkMount directive.
    B. If you are using standalone Tomcat then add protection for this location in all you application descriptors - web.xml. Simple example:

<security-constraint>
  <display-name>Default Servlet</display-name>
  <!-- Disable direct alls on the Default Servlet</web-resource-name -->
  <web-resource-collection>
    <web-resource-name>Disallowed Location</web-resource-name>
    <url-pattern>
      /servlet/org.apache.catalina.servlets.DefaultServlet/*
    </url-pattern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name></role-name>
  </auth-constraint>
</security-constraint>

... <airbell@chat.ru>
--- GoldED+/W32
 * Origin: OJSC Efremov Synthetic Rubber Enterprise (2:5022/5.77)