tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 13365] New: - JSP source disclosure vulnerability not fixed when invoking servlets by name
Date Mon, 07 Oct 2002 16:05:19 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365

JSP source disclosure vulnerability not fixed when invoking servlets by name

           Summary: JSP source disclosure vulnerability not fixed when
                    invoking servlets by name
           Product: Tomcat 4
           Version: 4.1.12
          Platform: PC
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: tmoore@blackboard.com


The fix for the JSP source disclosure security hole is incomplete.  Currently, 
it rejects servlet names starting with org.apache.catalina, but this solution 
fails to take into account the fact that servlets can be invoked by their name, 
and not just their class name.  To see an example of this, on a stock 4.1.12 
installation, uncomment the invoker servlet mapping in the default web.xml and 
go to this URL:

http://localhost:8080/examples/servlet/default/jsp/snp/snoop.jsp

The important part is the "/servlet/default" fragment, which will bypass the 
new security checks and invoke the default servlet.

Although this is less of a problem than the one discovered originally (since 
the servlet mapping is commented out by default) I believe that a lot of people 
using Tomcat are relying on the invoker servlet, and so uncommented the mapping 
in their 4.0.5 and 4.1.12 installations.  Therefore there's reason to believe 
that there are still a large number of vulnerable servers out there.

I haven't tested this on 4.0.5, but I'm assuming that it's also vulnerable.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message