| Author |
Invoke servlet security flaw
|
Tomas Nilson
Ranch Hand
Joined: Jan 14, 2002
Posts: 33
|
|
At:
http://www.moreservlets.com/Using-Tomcat-4.html#Enable-Invoker
I read "Up until Apache Tomcat 4.1.12, the invoker was enabled by default. However, a security flaw was recently uncovered whereby the invoker servlet could be used to see the source code of servlets that were generated from JSP pages."
Does anyone know if this has been fixed in 5.5.7? I guess not since the automatic invoker is still turned off by default.
Thanks!
Tom
|
 |
Ben Souther
Sheriff
Joined: Dec 11, 2004
Posts: 13410
|
|
It looks like the invoker servlet has not been touched since 2002.
http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java?rev=1.6&view=log
That Tomcat's own contributors call it "Evil" is enough cause for me to look at it "no further".
Given that there is a good sized list of excellent reasons not to ever use it (and that no reasonable person will ever use it), the community that contributes to Tomcat would be right in deciding that any further work on it would be an absolute waste of time.
|
Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56233
|
|
|
The invoker is the security flaw. It is fixed by keeping it disabled.
|
[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
|
|
Tomas Nilson
Ranch Hand
Joined: Jan 14, 2002
Posts: 33
|
|
|
Thanks a lot guys! I now know what to do..:-)
|
|
Ben Souther
Sheriff
Joined: Dec 11, 2004
Posts: 13410
|
|
I hope we didn't come across as biased or overly opinionated.
[ March 25, 2005: Message edited by: Ben Souther ]
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56233
|
|
|
Not us! :roll:
|
|
 |
|
|
subject: Invoke servlet security flaw
|
|
|
0
