A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Waterfall_Cache has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 47

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 194

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Memcache_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 275

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Filesystem_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 440

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; APC_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 628

JSP Source Code Exposure Discovered in Tomcat

JSP Source Code Exposure Discovered in Tomcat

By Wayne Kawamoto (Send Email)
Posted Oct 14, 2002


Covalent Technologies has confirmed a security vulnerability is present in all Apache Tomcat 4x versions (including Tomcat 4.0.4 and Tomcat 4.1.10) that allows the use of a specially crafted URL to return the unprocessed source of a JSP page. Under special circumstances it can return a static resource that would otherwise have been protected by security constraint, without the need of being properly authenticated. Covalent Technologies has confirmed a security vulnerability in all Apache Tomcat 4x versions that allows the use of a specially crafted URL to return the unprocessed source of a JSP page.

The company said that Covalent Tomcat users should take precautions to prevent the inadvertent exposure of source code. Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. This particular configuration is available in the default Tomcat configuration.

The workaround for Tomcat installations is to disable the invoker servlet found in the default webapp configuration.

In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment (but also check the Covalent Web page for the latest details):

invoker /servlet/*

Covalent plans to remove this vulnerability when it releases updated versions of Tomcat 4.x as part of its product update cycle.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.


 

 


Thanks for your registration, follow us on our social networks to keep up-to-date