Disabling invoker servlet in Tomcat4

To: debian-apache@lists.debian.org
Subject: Disabling invoker servlet in Tomcat4
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Tue, 15 Oct 2002 14:06:00 +0200
Message-id: <200210151406.00522.kjetil@kjernsmo.net>

Hi folks!

Last night I decided to test my server by attacking it with Nessus. One 
of the things it reported was a vulnerability in Tomcat. I figured this 
was the most appropriate forum to discuss this.

It pointed me to 
http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt

I went in and commented out the following section in 
/etc/tomcat4/web.xml:
  <!-- servlet-mapping>
    <servlet-name>invoker</servlet-name>
    <url-pattern>/servlet/*</url-pattern>
  </servlet-mapping -->

and it seems that is a valid workaround (don't take my word for it 
though, I'm a really a newbie!)

However, the servlet examples doesn't work anymore, that's OK with me, 
but I guess it is difficult to disable the invoker servlet by default. 
Another option is perhaps to provide an explicit map for the examples, 
or something. 

Anyway, I thought I'd bring it up. :-)

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/

Reply to:

Prev by Date: Apache being sluggish?
Next by Date: default home page
Previous by thread: Re: default home page
Next by thread: apache2 and php4
Index(es):
- Date
- Thread