tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <>
Subject Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
Date Wed, 13 Aug 2003 00:02:53 GMT
The user list has been busy lately discussing a possible security hole,
but only 1/3 of the people in the thread could see the problem.  I
finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2,
but NOT with JVM 1.4.1.

The vulnerability is that if you stick a "%20" on the end of a .jsp
url, you get the source.

I forgot to mention the platforms where this has been seen.  I have
seen this with Sun's JVM 1.4.2 on Windows XP, and now I just verified
that it also exists on NetWare's JVM 1.4.2 (built on Sun's source code
base, so not surprising)  It might exist on other 1.4.2 implementations,
but I am not sure. 

I also just verified this on Tomcat 4.1.18 and 4.1.26 as well.

For some reason I see it better with the example jsp's -
/examples/jsp/num/numbguess.jsp%20 for instance.  But, you can tell the
problem is going to be there if, when you add the "%20" to the .jsp
name, you don't get a 404.  This is all going directly to port 8080, so
no native connector is involved.

Jeff Tulley  (
Novell, Inc., The Leading Provider of Net Business Solutions 

View raw message