drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Preisgabe des Seiten-Quellcodes in tomcat
Name: |
Preisgabe des Seiten-Quellcodes in tomcat
|
|
ID: |
|
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Do, 26. September 2002, 13:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
Apache Tomcat |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT --------------------------------------------------------------------
PACKAGE :tomcat SUMMARY :source exposure DATE :2002-09-25 11:30 UTC
--------------------------------------------------------------------
OVERVIEW
Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet.
DETAIL
Let say you have valid URL like http://my.site/login.jsp, then an URL like http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp will give you the source code of the JSP page.
The full syntaxes of the exposure URL is:
http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet /[context_relative_path/]file_name.jsp
More information can be found at:
http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0
SOLUTION
It is recommended that all Gentoo Linux users who are running net-www/tomcat-4.04 and earlier update their systems as follows:
emerge rsync emerge tomcat emerge clean
-------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9kaeBfT7nyhUpoZMRAsJTAKCqg0U1g66H0La0/V6plwi+wOHcCACdEUum VWwU9nlWMXrt1A4p52F30m8= =xzdY -----END PGP SIGNATURE-----
_______________________________________________ gentoo-announce mailing list gentoo-announce@gentoo.org http://lists.gentoo.org/mailman/listinfo/gentoo-announce _______________________________________________ gentoo-security mailing list gentoo-security@gentoo.org http://lists.gentoo.org/mailman/listinfo/gentoo-security
|
|
|
|