CVE-2002-1394

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.0.5 and earlier

Description The issue allows remote attackers to read source code for server files or bypass certain protections. A specially crafted URL using the invoker servlet in conjunction with the default servlet can enable an attacker to obtain the source of JSP pages or, under special circumstances, a static resource that would otherwise have been protected by a security constraint without the need to be properly authenticated.

Recommendations For Apache Tomcat versions 4.0.5 and earlier, consider disabling the invoker servlet until a patch is available to prevent exploitation. Restrict access to the default servlet to minimize the risk of bypassing security constraints. Avoid using the invoker servlet in conjunction with the default servlet to prevent reading source code for server files.