Disabling invoker servlet in Tomcat4
Hi folks!
Last night I decided to test my server by attacking it with Nessus. One
of the things it reported was a vulnerability in Tomcat. I figured this
was the most appropriate forum to discuss this.
It pointed me to
http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt
I went in and commented out the following section in
/etc/tomcat4/web.xml:
<!-- servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping -->
and it seems that is a valid workaround (don't take my word for it
though, I'm a really a newbie!)
However, the servlet examples doesn't work anymore, that's OK with me,
but I guess it is difficult to disable the invoker servlet by default.
Another option is perhaps to provide an explicit map for the examples,
or something.
Anyway, I thought I'd bring it up. :-)
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/
Reply to: