Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Invoke servlet security flaw

 
Tomas Nilson
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
At:

http://www.moreservlets.com/Using-Tomcat-4.html#Enable-Invoker

I read "Up until Apache Tomcat 4.1.12, the invoker was enabled by default. However, a security flaw was recently uncovered whereby the invoker servlet could be used to see the source code of servlets that were generated from JSP pages."

Does anyone know if this has been fixed in 5.5.7? I guess not since the automatic invoker is still turned off by default.

Thanks!

Tom
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It looks like the invoker servlet has not been touched since 2002.
http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java?rev=1.6&view=log

That Tomcat's own contributors call it "Evil" is enough cause for me to look at it "no further".

Given that there is a good sized list of excellent reasons not to ever use it (and that no reasonable person will ever use it), the community that contributes to Tomcat would be right in deciding that any further work on it would be an absolute waste of time.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64631
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The invoker is the security flaw. It is fixed by keeping it disabled.
 
Tomas Nilson
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks a lot guys! I now know what to do..:-)
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I hope we didn't come across as biased or overly opinionated.


[ March 25, 2005: Message edited by: Ben Souther ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64631
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not us! :roll:
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic