Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Tomcat Source Disclosure Hole

Posted by michael on from the now-slightly-more-patchy dept.

joe writes "Apache has released a security warning in its popular server Tomcat. This security hole allows non authenticated users to retrieve source code of web applications on the server."

14 comments

  1. You mean that ... by raxhonp · · Score: 3, Funny

    apache and tomcat are open source, that's it?

    1. Re:You mean that ... by The+Mayor · · Score: 3, Informative

      No. It means that JSP code can be retrieved without being processed first.

      When a user requests a .jsp page, Tomcat takes all the HTML code on the .jsp page and sticks it in the equivalent of a printf(). The Java code on the page is just interspersed between the HTML output. After this, it compiles the resulting Java, and uses the compiled Java to create the output for the requested URL for subsequent requests. At no point should the user be able to see the .jsp code (just like with ASP, cold fusion, etc etc).

      --
      --Be human.
    2. Re:You mean that ... by Utopia · · Score: 1

      I think he/she already knew that.
      The poster probably meant it as a joke.

      That post should be modded as funny.

    3. Re:You mean that ... by raxhonp · · Score: 1
      Yes, indeed it's not a troll, a flamebait or whatever, just a (stupid) joke.

      But I still think they did it on purpose, to spread the open source philosophy in an unknown manner, on a level never reached before.

  2. Hmmmm. by Gaijin42 · · Score: 5, Insightful

    I think its very interesting that this article is posted on the Apache subsite, when Slashdot is touted as the source for Open Source news. This is the type of thing you would want to get out to as many users as possible so they can all get patched (Isn't that the advantage to Open Source? You can patch it? Or have someone smarter than you patch it for you?)

    Meanwhile, every obscure, really difficult to implement, not really dangerous IIS flaw makes it to the frontpage, so we can have 500 comments of MS sucks, use open source, it can be patched faster!

    No wonder the views are so lopsided. Massive exposure to every MS bug. Hide every open source bug.

    Bring on the moderation. Its not that big of a deal...

    1. Re:Hmmmm. by SN74S181 · · Score: 1

      This article appeared on the main page for me, for however I have my main page configured (??). I have been wondering why it has sat here with less than five comments added for an hour, though.

    2. Re:Hmmmm. by funkman · · Score: 2

      It was emailed to the tomcat user list, Developer list and the announce list. For those interested in tomcat - they were made aware.

    3. Re:Hmmmm. by ILikeRed · · Score: 2

      Find a MS centered news site....

      Actually, though, it's nice to see that Linux and opensource in general has come so far that it's now the Microsoft camp that are zealots and the voice of hysteria. I think this only changed in the last two years or so.

      And opensource projects are tradionally patched faster, so there! ;-) I think the troll actually made my day.

      --
      I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
    4. Re:Hmmmm. by Anonymous Coward · · Score: 0

      As are all liscenced IIS operators informed of security problems and hotfix availablility, so there's not really any reason to continuously drag MS through the mud and then do the exact opposite to O.S. programs. The original posters point is still crystal clear absolutly true.

    5. Re:Hmmmm. by doc_side · · Score: 2, Interesting

      Since I am not a regular reader of bugtraq or anything of the like, I think its nice when a big hole in a product appears on slashdot. With that being said, if every little open or closed source bug appeared on slashdot, smack on the front page, then I should say that this page's focus would be altered.

      I do see your point however, that some bugs seem to be presented in a more obfucated way than others are.

    6. Re:Hmmmm. by thelexx · · Score: 2

      What BS. No moderation necessary.

      From Bugtraq:

      Apache AND Tomcat - All Versions - 51 combined (18 Tomcat / 33 Apache )

      IIS - All Versions - 102

      Microsoft products DO suck.

      And there's this:

      "The Apache Tomcat Team announces the immediate availability of new releases which include a fix to the invoker servlet.
      Binary and source distributions for Apache Tomcat 4.1.12 Stable are available here.
      Binary and source distributions for Apache Tomcat 4.0.5 are available here."

      How long would MS have you wait before a fix? Hell, before even _telling_ you if they had their way and it wasn't uncovered by a third-party?

      Still, this news item _should_ have been on the front page. ;)

      LEXX

      --
      "Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
  3. Not that many apache users use tomcat by phr2 · · Score: 2

    This isn't like a bug in Apache httpd, or for that matter like a bug in IIS or Outlook. It's more like a bug in some infrequently used IIS plug-in. I don't think either would merit getting on /.'s front page.

    1. Re:Not that many apache users use tomcat by aled · · Score: 1

      While it's true it isn't a bug in httpd Tomcat is used by a lot of people as web container for jsp pages. A lot less than httpd for sure, but for those that use it is a very serious issue. We are talking IBM (bundled a version in AS/400), Borland and others big name here. And others products may be based in Tomcat code for all we know. This bug could let access to your database password in many cases.

      --

      "I think this line is mostly filler"
  4. last post by Anonymous Coward · · Score: 0

    We're gonna close her up soon.