[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Disabling invoker servlet in Tomcat4

Hi folks!

Last night I decided to test my server by attacking it with Nessus. One 
of the things it reported was a vulnerability in Tomcat. I figured this 
was the most appropriate forum to discuss this.

It pointed me to 

I went in and commented out the following section in 
  <!-- servlet-mapping>
  </servlet-mapping -->

and it seems that is a valid workaround (don't take my word for it 
though, I'm a really a newbie!)

However, the servlet examples doesn't work anymore, that's OK with me, 
but I guess it is difficult to disable the invoker servlet by default. 
Another option is perhaps to provide an explicit map for the examples, 
or something. 

Anyway, I thought I'd bring it up. :-)


Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/

Reply to: