tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <cost...@covalent.net>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
Date Fri, 12 Oct 2001 19:45:37 GMT
Very good.

Now SSI - it also seem to allow executing arbitrary exe :-)

BTW, make sure SSIExec is not included in any jar file - otherwise the
hacker will just use it ( no need for the servlet, it's a bit more
difficult to exploit than the cgi servlet, but still disables the sandbox )

Costin

On 12 Oct 2001 remm@apache.org wrote:

>
>   Modified:    catalina/src/conf Tag: tomcat_40_branch web.xml
>   Log:
>   - Add tougher restrictions on the use of the CGI servlet by default, since the current
>     installation seems to me exploit prone (although no actual exploit does exist at
>     the moment).
>   - The default web.xml won't attempt to load the CGI servlet anymore (under a
>     security manager, we would have needed to edit the configuration file to make
>     it secure).
>   - The CGI servlet classes won't be available for loading by a web application.
>     The JAR containing the classes will have to be renamed first.
>
>   Revision  Changes    Path
>   No                   revision
>
>
>   No                   revision
>
>
>   1.22.2.4  +6 -2      jakarta-tomcat-4.0/catalina/src/conf/web.xml
>
>   Index: web.xml
>   ===================================================================
>   RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v
>   retrieving revision 1.22.2.3
>   retrieving revision 1.22.2.4
>   diff -u -r1.22.2.3 -r1.22.2.4
>   --- web.xml	2001/10/11 04:10:23	1.22.2.3
>   +++ web.xml	2001/10/12 19:29:41	1.22.2.4
>   @@ -202,6 +202,11 @@
>      <!--   debug               Debugging detail level for messages logged     -->
>      <!--                       by this servlet.  [0]                          -->
>
>   +  <!-- IMPORTANT: To use the CGI servlet, you also need to rename the       -->
>   +  <!--            $CATALINA_HOME/server/lib/servlets-cgi.renametojar to     -->
>   +  <!--            $CATALINA_HOME/server/lib/servlets-cgi.jar                -->
>   +
>   +<!--
>      <servlet>
>        <servlet-name>cgi</servlet-name>
>        <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
>   @@ -217,10 +222,9 @@
>          <param-name>cgiPathPrefix</param-name>
>          <param-value>WEB-INF/cgi</param-value>
>        </init-param>
>   -<!--
>         <load-on-startup>5</load-on-startup>
>   --->
>       </servlet>
>   +-->
>
>
>      <!-- ================ Built In Servlet Mappings ========================= -->
>
>
>
>


Mime
View raw message