Covalent Technologies has confirmed a security vulnerability is present in all Apache Tomcat 4x versions (including Tomcat 4.0.4 and Tomcat 4.1.10) that allows the use of a specially crafted URL to return the unprocessed source of a JSP page. Under special circumstances it can return a static resource that would otherwise have been protected by security constraint, without the need of being properly authenticated.
The company said that Covalent Tomcat users should take precautions to prevent the inadvertent exposure of source code. Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. This particular configuration is available in the default Tomcat configuration.
The workaround for Tomcat installations is to disable the invoker servlet found in the default webapp configuration.
In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment (but also check the Covalent Web page for the latest details):
Covalent plans to remove this vulnerability when it releases updated versions of Tomcat 4.x as part of its product update cycle.