tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cox, Charlie" <c...@cincom.com>
Subject RE: security hole on windows tomcat?
Date Tue, 12 Aug 2003 12:02:55 GMT
can you turn on debugging for the default servlet(conf/web.xml) and also
turn on the requestdumpervalve(server.xml) and post the log.



> -----Original Message-----
> From: Paul Sundling [mailto:spam@tkz.net]
> Sent: Monday, August 11, 2003 8:43 PM
> To: Tomcat Users List
> Subject: Re: security hole on windows tomcat?
> 
> 
> I never changed the mime-mapping when I installed it.  I run tomcat 
> manually or as a manual service.  When I tried running tomcat as an 
> automatic service, it had trouble.  The only changes I made were in 
> configs specific to webapps.  The problem is present on the 
> unmodified 
> examples webapp.  The only two jars I added in the SDK were the JDBC 
> drivers for postrgres and mysql.
> 
> Paul Sundling
> 
> Cox, Charlie wrote:
> 
> >did you change any mime-mappings in conf/web.xml? could you 
> have a "jsp " in
> >there somewhere defining it as text?
> >
> >  
> >
> >>-----Original Message-----
> >>From: Angus Mezick [mailto:amezick@guidestar.org]
> >>Sent: Monday, August 11, 2003 12:15 PM
> >>To: Tomcat Users List
> >>Subject: RE: security hole on windows tomcat?
> >>
> >>
> >>Ok guys,
> >>What could I have turned on that would have allowed this bug 
> >>to happen?
> >>I can make it happen in both tomcat and tomcat through 
> apache.  (Most
> >>recent of both)  I can provide a site where it DOES happen 
> so you guys
> >>can see what is happening.
> >>
> >>    
> >>
> >>>-----Original Message-----
> >>>From: Cox, Charlie [mailto:ccox@cincom.com] 
> >>>Sent: Monday, August 11, 2003 12:07 PM
> >>>To: 'Tomcat Users List'
> >>>Subject: RE: security hole on windows tomcat?
> >>>
> >>>
> >>>sorry, I don't know - I don't use Apache. This was just a 
> >>>thought that I
> >>>had.
> >>>
> >>>I do not have this problem 4.1.24 on Win2k
> >>>
> >>>Charlie
> >>>
> >>>      
> >>>
> >>>>-----Original Message-----
> >>>>From: Angus Mezick [mailto:amezick@guidestar.org]
> >>>>Sent: Monday, August 11, 2003 11:49 AM
> >>>>To: Tomcat Users List
> >>>>Subject: RE: security hole on windows tomcat?
> >>>>
> >>>>
> >>>>Charlie,  
> >>>>How do you fix this within apache?
> >>>>
> >>>>        
> >>>>
> >>>>>-----Original Message-----
> >>>>>From: Cox, Charlie [mailto:ccox@cincom.com] 
> >>>>>Sent: Monday, August 11, 2003 10:15 AM
> >>>>>To: 'Tomcat Users List'
> >>>>>Subject: RE: security hole on windows tomcat?
> >>>>>
> >>>>>
> >>>>>do you have apache on the front end and are you only mapping 
> >>>>>*.jsp where
> >>>>>*.jsp%20 is not a match and apache would then serve the 
> >>>>>          
> >>>>>
> >>>>file as text?
> >>>>        
> >>>>
> >>>>>Charlie
> >>>>>
> >>>>>          
> >>>>>
> >>>>>>-----Original Message-----
> >>>>>>From: John Turner [mailto:tomcat-user@johnturner.com]
> >>>>>>Sent: Monday, August 11, 2003 9:22 AM
> >>>>>>To: Tomcat Users List
> >>>>>>Subject: Re: security hole on windows tomcat?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> >>>>>>
> >>>>>>John
> >>>>>>
> >>>>>>Paul Sundling("Webdaddy") wrote:
> >>>>>>
> >>>>>>            
> >>>>>>
> >>>>>>>I came across what appears to be a security hole when 
> >>>>>>>              
> >>>>>>>
> >>>>>>running tomcat. 
> >>>>>>            
> >>>>>>
> >>>>>>>I'm not sure how widespread it is, but my linux server is

> >>>>>>>              
> >>>>>>>
> >>>>>>safe, yet my 
> >>>>>>            
> >>>>>>
> >>>>>>>windows XP, tomcat 4.1.24 is vulnerable.
> >>>>>>>
> >>>>>>>I found that if you append %20 to a jsp page it shows the

> >>>>>>>              
> >>>>>>>
> >>>>>>source code 
> >>>>>>            
> >>>>>>
> >>>>>>>instead of displaying the page:
> >>>>>>>
> >>>>>>>http://192.168.1.54:8080/index.jsp  <shows page as expected>
> >>>>>>>http://192.168.1.54:8080/index.jsp%20 <shows source code
of 
> >>>>>>>              
> >>>>>>>
> >>>>>>index.jsp>
> >>>>>>            
> >>>>>>
> >>>>>>>So how widespread is this?
> >>>>>>>
> >>>>>>>Paul Sundling
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>              
> >>>>>>>
> >>------------------------------------------------------------
> ---------
> >>    
> >>
> >>>>>>>To unsubscribe, e-mail: 
> >>>>>>>              
> >>>>>>>
> >>>>tomcat-user-unsubscribe@jakarta.apache.org
> >>>>        
> >>>>
> >>>>>>>For additional commands, e-mail: 
> >>>>>>>              
> >>>>>>>
> >>>>>tomcat-user-help@jakarta.apache.org
> >>>>>          
> >>>>>
> >>>>>>
> >>>>>>
> >>>>>>            
> >>>>>>
> >>------------------------------------------------------------
> ---------
> >>    
> >>
> >>>>>>To unsubscribe, e-mail: 
> >>>>>>            
> >>>>>>
> >>>tomcat-user-unsubscribe@jakarta.apache.org
> >>>      
> >>>
> >>>>>>For additional commands, e-mail: 
> >>>>>>            
> >>>>>>
> >>>>tomcat-user-help@jakarta.apache.org
> >>>>        
> >>>>
> >>>>>          
> >>>>>
> >>------------------------------------------------------------
> ---------
> >>    
> >>
> >>>>>To unsubscribe, e-mail: 
> >>>>>          
> >>>>>
> >>tomcat-user-unsubscribe@jakarta.apache.org
> >>    
> >>
> >>>>>For additional commands, e-mail: 
> >>>>>          
> >>>>>
> >>>tomcat-user-help@jakarta.apache.org
> >>>      
> >>>
> >>>>>          
> >>>>>
> >>>>        
> >>>>
> >>------------------------------------------------------------
> ---------
> >>    
> >>
> >>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>>>For additional commands, e-mail: 
> >>>>        
> >>>>
> >>tomcat-user-help@jakarta.apache.org
> >>    
> >>
> >>>      
> >>>
> >>------------------------------------------------------------
> ---------
> >>    
> >>
> >>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: 
> tomcat-user-help@jakarta.apache.org
> >>>
> >>>
> >>>      
> >>>
> >>------------------------------------------------------------
> ---------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>    
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >  
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

Mime
View raw message