-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - - -------------------------------------------------------------------- PACKAGE :tomcat SUMMARY :source exposure DATE :2002-09-25 11:30 UTC - - -------------------------------------------------------------------- OVERVIEW Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. DETAIL Let say you have valid URL like http://my.site/login.jsp, then an URL like http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp will give you the source code of the JSP page. The full syntaxes of the exposure URL is: http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet /[context_relative_path/]file_name.jsp More information can be found at: http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0 SOLUTION It is recommended that all Gentoo Linux users who are running net-www/tomcat-4.04 and earlier update their systems as follows: emerge rsync emerge tomcat emerge clean - - -------------------------------------------------------------------- alizat_private - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9kaeOfT7nyhUpoZMRAjecAJwLLkCyj/iVWlRFN+1RrzR4oo9dlQCgi1PV DTRyRrBXhKFbP7+ScPIx2A8= =S0kw -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 10:33:25 PDT