A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or under special circumstances a static resource which would otherwise have been protected by security constraint, without the need of being properly authenticated. Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. This particular configuration is available in the default Tomcat configuration. An easy workaround exists for existing Tomcat installation, by disabling the invoker servlet in the default webapp configuration. The Tomcat 4.1.x port should be updated to 4.1.12. See: http://jakarta.apache.org/site/news.html
Responsible Changed From-To: freebsd-ports->znerd I'll handle this myself.
Here's a patch: http://people.FreeBSD.org/~znerd/tomcat4.1.12.diff
State Changed From-To: open->closed Committed.