tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bip Thelin" <Bip.The...@razorfish.com>
Subject RE: cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
Date Fri, 12 Oct 2001 21:10:34 GMT
> -----Original Message-----
> From: Remy Maucherat [mailto:rmaucher1@home.com] 
> 
> > Very good.
> >
> > Now SSI - it also seem to allow executing arbitrary exe :-)
> >
> > BTW, make sure SSIExec is not included in any jar file - 
> otherwise the
> > hacker will just use it ( no need for the servlet, it's a bit more
> > difficult to exploit than the cgi servlet, but still disables the
> sandbox )
> 
> The helpers are in the SSI JAR, so removing it should solve 
> the problem.
> 
> Anything else ?

Wouldn't it be a better solution to add an option to disable ssi exec
that would be disabled by default instead of disabling the whole
package?

	-bip

Mime
View raw message