From aliz@gentoo.org Wed Sep 25 15:16:05 2002 From: Daniel Ahlberg To: bugtraq@securityfocus.com Date: Wed, 25 Sep 2002 14:09:50 +0200 Subject: GLSA: tomcat -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - - -------------------------------------------------------------------- PACKAGE :tomcat SUMMARY :source exposure DATE :2002-09-25 11:30 UTC - - -------------------------------------------------------------------- OVERVIEW Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. DETAIL Let say you have valid URL like http://my.site/login.jsp, then an URL like http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp will give you the source code of the JSP page. The full syntaxes of the exposure URL is: http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet /[context_relative_path/]file_name.jsp More information can be found at: http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0 SOLUTION It is recommended that all Gentoo Linux users who are running net-www/tomcat-4.04 and earlier update their systems as follows: emerge rsync emerge tomcat emerge clean - - -------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9kaeOfT7nyhUpoZMRAjecAJwLLkCyj/iVWlRFN+1RrzR4oo9dlQCgi1PV DTRyRrBXhKFbP7+ScPIx2A8= =S0kw -----END PGP SIGNATURE-----