tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
Date Wed, 13 Aug 2003 01:02:01 GMT
Oups I've missed the discussion . There is a 1.4.2 bug found by Remy 
(and reported in bugtraq as 4895132. I'm not sure you can access the 
bug). The workaround is to add the following property when starting Tomcat:

-Dsun.io.useCanonCaches=false

Can you try it and see if that fixe the problem (I don't have a winXX)? 

-- Jeanfrancois


Jeff Tulley wrote:

>The user list has been busy lately discussing a possible security hole,
>but only 1/3 of the people in the thread could see the problem.  I
>finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2,
>but NOT with JVM 1.4.1.
>
>The vulnerability is that if you stick a "%20" on the end of a .jsp
>url, you get the source.
>
>I forgot to mention the platforms where this has been seen.  I have
>seen this with Sun's JVM 1.4.2 on Windows XP, and now I just verified
>that it also exists on NetWare's JVM 1.4.2 (built on Sun's source code
>base, so not surprising)  It might exist on other 1.4.2 implementations,
>but I am not sure. 
>
>I also just verified this on Tomcat 4.1.18 and 4.1.26 as well.
>
>For some reason I see it better with the example jsp's -
>/examples/jsp/num/numbguess.jsp%20 for instance.  But, you can tell the
>problem is going to be there if, when you add the "%20" to the .jsp
>name, you don't get a 404.  This is all going directly to port 8080, so
>no native connector is involved.
>
>Jeff Tulley  (jtulley@novell.com)
>(801)861-5322
>Novell, Inc., The Leading Provider of Net Business Solutions
>http://www.novell.com 
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
>  
>


Mime
View raw message