tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <cmanola...@yahoo.com>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
Date Fri, 12 Oct 2001 20:02:40 GMT
On Fri, 12 Oct 2001 costinm@covalent.net wrote:

> Very good.
>
> Now SSI - it also seem to allow executing arbitrary exe :-)
>
> BTW, make sure SSIExec is not included in any jar file - otherwise the
> hacker will just use it ( no need for the servlet, it's a bit more
> difficult to exploit than the cgi servlet, but still disables the sandbox )

Sorry, my mistake - removing SSIExec is not necesary ( the problem happens
only if code that doesn't cross into untrusted area ). Removing SSI
servlet is necesary ( same as for the cgi servlet ).

Costin


Mime
View raw message