tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
Date Fri, 12 Oct 2001 20:08:16 GMT
> Very good.
> Now SSI - it also seem to allow executing arbitrary exe :-)
> BTW, make sure SSIExec is not included in any jar file - otherwise the
> hacker will just use it ( no need for the servlet, it's a bit more
> difficult to exploit than the cgi servlet, but still disables the
sandbox )

The helpers are in the SSI JAR, so removing it should solve the problem.

Anything else ?

It should be pointed out that the default configuration was secure, just
that the default configuration left the server side sandboxing exploit


View raw message