tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Danno Ferrin <shem...@earthlink.net>
Subject Re: Tomcat 3.2
Date Wed, 26 Jul 2000 20:06:14 GMT
This is the SnoopServlet from the servlet examples that will be changed,
snoop.jsp will be un affected.  There is no pointer in the example page
to this servlet nor any documentation of the .snp mapping, so if they do
only what the opening web pages tell them it will not break.  I do not
consider snoop.jsp to be a security hole and I do not plan on removing
it so I don't intend on removing the snoop.jsp link (which does not
involve the SnoopServlet.class).

--Danno

rubys@us.ibm.com wrote:
> 
> Danno Ferrin wrote:
> >
> >     After reading the bugtraq a little closer I realized that is
> > is not snoop.jsp but the snoop servlet run from an extension
> > mapping in the jsp directory.  Would just modifying the build to
> > remove SnoopServlet.class from the examples war (but leaving the
> > java file) work?  It still will provide ugly failures but it's
> > the most painless and certainly quickest fix. Leaving the source
> > still allows for development use.  Unless there is objection I
> > intend on modifying the build.xml tomorrow to do this for the
> > dist target.  This is the last outstanding bugtraq bug that I
> > know of.
> 
> +1 if the the line launching the snoop sample is also removed from
> examples/jsp/index.html
> 
> - Sam Ruby
> 
> Danno Ferrin <shemnon@earthlink.net> on 07/26/2000 02:34:49 PM
> 
> Please respond to tomcat-dev@jakarta.apache.org
> 
> To:   tomcat-dev@jakarta.apache.org
> cc:
> Subject:  Re: Tomcat 3.2
> 
>     After reading the bugtraq a little closer I realized that is is not
> snoop.jsp but the snoop servlet run from an extension mapping in the jsp
> directory.  Would just modifying the build to remove SnoopServlet.class
> from the examples war (but leaving the java file) work?  It still will
> provide ugly failures but it's the most painless and certainly quickest
> fix. Leaving the source still allows for development use.  Unless there
> is objection I intend on modifying the build.xml tomorrow to do this for
> the dist target.  This is the last outstanding bugtraq bug that I know
> of.
> 
> please reply with +'s and -'s
> 
> --Danno
> 
> cmanolache@yahoo.com wrote:
> >
> > >
> > > That leaves the snoop.jsp bug and the admin context insecurity.  The
> > > admin.war could just be distributed in a different location and we put
> >
> > I think I resovled admin context - even if it is loaded, the admin must
> > edit server.xml and turn "trusted" to "true" ( the default is false ).
> >
> > Without this flag the admin can't access tomcat internals and can't do
> > anything wrong ( it's a bit ugly - since it can't get the internal
> Context
> > it will display a NPE ).
> >
> > I also added a security constraint requiring "admin" role to access the
> > admin app.  The server admin must edit tomcat-users and add a user/pass
> > that have admin role in order for admin app to work.
> >
> > I think it's enough for now, probably we need to document this ( in the
> > FAQ or in admin index.html )
> >
> > I don't remember what was the problem with snoop.jsp - but regarding
> stack
> > traces there are many other servlet engines showing stack traces on
> error.
> > We do need a solution, but probably tomcat 3.3 is the best place to
> > implement it.
> >
> > Costin
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Mime
View raw message