aspose file tools*
The moose likes Servlets and the fly likes Invoke servlet security flaw Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Invoke servlet security flaw" Watch "Invoke servlet security flaw" New topic
Author

Invoke servlet security flaw

Tomas Nilson
Ranch Hand

Joined: Jan 14, 2002
Posts: 33
At:

http://www.moreservlets.com/Using-Tomcat-4.html#Enable-Invoker

I read "Up until Apache Tomcat 4.1.12, the invoker was enabled by default. However, a security flaw was recently uncovered whereby the invoker servlet could be used to see the source code of servlets that were generated from JSP pages."

Does anyone know if this has been fixed in 5.5.7? I guess not since the automatic invoker is still turned off by default.

Thanks!

Tom
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

It looks like the invoker servlet has not been touched since 2002.
http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java?rev=1.6&view=log

That Tomcat's own contributors call it "Evil" is enough cause for me to look at it "no further".

Given that there is a good sized list of excellent reasons not to ever use it (and that no reasonable person will ever use it), the community that contributes to Tomcat would be right in deciding that any further work on it would be an absolute waste of time.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60997
    
  65

The invoker is the security flaw. It is fixed by keeping it disabled.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Tomas Nilson
Ranch Hand

Joined: Jan 14, 2002
Posts: 33
Thanks a lot guys! I now know what to do..:-)
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

I hope we didn't come across as biased or overly opinionated.


[ March 25, 2005: Message edited by: Ben Souther ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60997
    
  65

Not us! :roll:
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Invoke servlet security flaw