Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Tomcat Source Disclosure Hole

Posted by michael on Tuesday September 24, 2002 @05:13AM from the now-slightly-more-patchy dept.

joe writes "Apache has released a security warning in its popular server Tomcat. This security hole allows non authenticated users to retrieve source code of web applications on the server."

1 of 14 comments (clear)

Min score:

Reason:

Sort:

Re:You mean that ... by The+Mayor · 2002-09-24 06:15 · Score: 3, Informative

No. It means that JSP code can be retrieved without being processed first.

When a user requests a .jsp page, Tomcat takes all the HTML code on the .jsp page and sticks it in the equivalent of a printf(). The Java code on the page is just interspersed between the HTML output. After this, it compiles the resulting Java, and uses the compiled Java to create the output for the requested URL for subsequent requests. At no point should the user be able to see the .jsp code (just like with ASP, cold fusion, etc etc).

--
--Be human.