Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 49801 invoked from network); 25 Sep 2002 01:55:43 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 25 Sep 2002 01:55:43 -0000 Received: (qmail 19252 invoked by uid 97); 25 Sep 2002 01:56:25 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 19218 invoked by uid 97); 25 Sep 2002 01:56:24 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 19188 invoked by uid 98); 25 Sep 2002 01:56:24 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <1032919138.3d911862c5c22@imp.rexursive.com> Date: Wed, 25 Sep 2002 11:58:58 +1000 From: Bojan Smojver To: Tomcat Developers List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability References: <200209242015.46607.steve.downey@netfolio.com> In-Reply-To: <200209242015.46607.steve.downey@netfolio.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Quoting Steve Downey : > Perhaps you would prefer this exploit? > > http://localhost:8080/velexample/servlet/org.apache.catalina.servlets.DefaultServlet/sample.vm > > Horrors! Velocity is insecure! > > The DefaultServlet exploit is a general security problem in Tomcat. JSP may > be > somewhat more vulnerable, due to the (somewhat naieve) expectation that the > source will be confidential, but it's not really JSP per se that is at > fault. Actually, there is a big difference here. You're assuming that Velocity macro pages are programs (well, classes) like JSP's and therefore probably contain security sensitive information. Usually what you'll see is something like this: ---------------------------------------- #foreach($role in $roles) #if($fields.rolename && $fields.rolename==$role.rolename) #else #end #end ---------------------------------------- This is a (very typical) snippet from a VM that does editing of Tomcat users/roles database in one of my applications. I don't care if people see that code at all because the template doesn't do anything but templating. The beef if elsewhere (i.e. MVC). Bojan PS. Glenn, my apologies, I was just answering a direct question. ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ -- To unsubscribe, e-mail: For additional commands, e-mail: