No your best bet is to comment out the following line (and no it won't be all on one line) from your web.xml file then schedule to upgrade to Tomcat 4.1.12 Stable or Tomcat 4.0.5. <servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping> The Jakarta Team has already posted a response to this bug, it can be viewed here: http://jakarta.apache.org/site/news.html ------------------ Martin Robson Radial Software Development Inc. Direct - (604) 868-1503 Main - (604) 692-5971 martin@radialsoftware.com http://www.radialsoftware.com -----Original Message----- From: Marcin Jackowski [mailto:master@px.pl] Sent: Tuesday, September 24, 2002 12:30 PM To: bugtraq@securityfocus.com Subject: Re: JSP source code exposure in Tomcat 4.x [...] > > 3.2 Workaround: [...] Quicker (brute) method - remove completely $TOMCAT_HOME/server/lib/servlets-default.jar. The server complains but applications seem to work correctly (unless you're using it). Stated for Tomcat version 4.0.1, 4.0.4 and 4.1.10. Marcin Jackowski
