Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 98504 invoked from network); 11 Aug 2003 16:56:17 -0000 Received: from unknown (HELO wbmail.guidestar.org) (209.96.199.2) by daedalus.apache.org with SMTP; 11 Aug 2003 16:56:17 -0000 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: security hole on windows tomcat? Date: Mon, 11 Aug 2003 12:56:19 -0400 Message-ID: <24A8596C44DF4F4DA442CBE269C351BD012DB09C@wbmail.guidestar.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: security hole on windows tomcat? Thread-Index: AcNgJ9LF1Ewt+vVKSsmH607PRocJrgAAYznw From: "Angus Mezick" To: "Tomcat Users List" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N ARGH! This has gone to just being an apache problem. Tomcat seems to have self corrected. I am very confused but will keep looking. Apache still does it though. > -----Original Message----- > From: Cox, Charlie [mailto:ccox@cincom.com]=20 > Sent: Monday, August 11, 2003 12:40 PM > To: 'Tomcat Users List' > Subject: RE: security hole on windows tomcat? >=20 >=20 > can you turn on debug for the defaultservlet - set it to 99=20 > in conf/web.xml > and post the log. >=20 > > -----Original Message----- > > From: Angus Mezick [mailto:amezick@guidestar.org] > > Sent: Monday, August 11, 2003 12:39 PM > > To: Tomcat Users List > > Subject: RE: security hole on windows tomcat? > >=20 > >=20 > > Nope, but this mime mapping exists. > > > > jspf > > text/plain > > > >=20 > > > -----Original Message----- > > > From: Cox, Charlie [mailto:ccox@cincom.com]=20 > > > Sent: Monday, August 11, 2003 12:15 PM > > > To: 'Tomcat Users List' > > > Subject: RE: security hole on windows tomcat? > > >=20 > > >=20 > > > did you change any mime-mappings in conf/web.xml? could you=20 > > > have a "jsp " in > > > there somewhere defining it as text? > > >=20 > > > > -----Original Message----- > > > > From: Angus Mezick [mailto:amezick@guidestar.org] > > > > Sent: Monday, August 11, 2003 12:15 PM > > > > To: Tomcat Users List > > > > Subject: RE: security hole on windows tomcat? > > > >=20 > > > >=20 > > > > Ok guys, > > > > What could I have turned on that would have allowed this bug=20 > > > > to happen? > > > > I can make it happen in both tomcat and tomcat through=20 > > > apache. (Most > > > > recent of both) I can provide a site where it DOES happen=20 > > > so you guys > > > > can see what is happening. > > > >=20 > > > > > -----Original Message----- > > > > > From: Cox, Charlie [mailto:ccox@cincom.com]=20 > > > > > Sent: Monday, August 11, 2003 12:07 PM > > > > > To: 'Tomcat Users List' > > > > > Subject: RE: security hole on windows tomcat? > > > > >=20 > > > > >=20 > > > > > sorry, I don't know - I don't use Apache. This was just a=20 > > > > > thought that I > > > > > had. > > > > >=20 > > > > > I do not have this problem 4.1.24 on Win2k > > > > >=20 > > > > > Charlie > > > > >=20 > > > > > > -----Original Message----- > > > > > > From: Angus Mezick [mailto:amezick@guidestar.org] > > > > > > Sent: Monday, August 11, 2003 11:49 AM > > > > > > To: Tomcat Users List > > > > > > Subject: RE: security hole on windows tomcat? > > > > > >=20 > > > > > >=20 > > > > > > Charlie, =20 > > > > > > How do you fix this within apache? > > > > > >=20 > > > > > > > -----Original Message----- > > > > > > > From: Cox, Charlie [mailto:ccox@cincom.com]=20 > > > > > > > Sent: Monday, August 11, 2003 10:15 AM > > > > > > > To: 'Tomcat Users List' > > > > > > > Subject: RE: security hole on windows tomcat? > > > > > > >=20 > > > > > > >=20 > > > > > > > do you have apache on the front end and are you=20 > > only mapping=20 > > > > > > > *.jsp where > > > > > > > *.jsp%20 is not a match and apache would then serve the=20 > > > > > > file as text? > > > > > > >=20 > > > > > > > Charlie > > > > > > >=20 > > > > > > > > -----Original Message----- > > > > > > > > From: John Turner [mailto:tomcat-user@johnturner.com] > > > > > > > > Sent: Monday, August 11, 2003 9:22 AM > > > > > > > > To: Tomcat Users List > > > > > > > > Subject: Re: security hole on windows tomcat? > > > > > > > >=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > > Appending "%20" to my Tomcat 4.1.1x URLs=20 > generates a 404. > > > > > > > >=20 > > > > > > > > John > > > > > > > >=20 > > > > > > > > Paul Sundling("Webdaddy") wrote: > > > > > > > >=20 > > > > > > > > > I came across what appears to be a security hole when=20 > > > > > > > > running tomcat.=20 > > > > > > > > > I'm not sure how widespread it is, but my linux=20 > > server is=20 > > > > > > > > safe, yet my=20 > > > > > > > > > windows XP, tomcat 4.1.24 is vulnerable. > > > > > > > > >=20 > > > > > > > > > I found that if you append %20 to a jsp page it=20 > > shows the=20 > > > > > > > > source code=20 > > > > > > > > > instead of displaying the page: > > > > > > > > >=20 > > > > > > > > > http://192.168.1.54:8080/index.jsp > > as expected> > > > > > > > > > http://192.168.1.54:8080/index.jsp%20 > > source code of=20 > > > > > > > > index.jsp> > > > > > > > > >=20 > > > > > > > > > So how widespread is this? > > > > > > > > >=20 > > > > > > > > > Paul Sundling > > > > > > > > >=20 > > > > > > > > >=20 > > > > > > > > >=20 > > > > > > > >=20 > > > > > > >=20 > > > > > >=20 > > > > >=20 > > > >=20 > > >=20 > >=20 > --------------------------------------------------------------------- > > > > > > > > > To unsubscribe, e-mail:=20 > > > > > > tomcat-user-unsubscribe@jakarta.apache.org > > > > > > > > > For additional commands, e-mail:=20 > > > > > > > tomcat-user-help@jakarta.apache.org > > > > > > > > >=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > >=20 > > > > > >=20 > > > > >=20 > > > >=20 > > >=20 > >=20 > --------------------------------------------------------------------- > > > > > > > > To unsubscribe, e-mail:=20 > > > > > tomcat-user-unsubscribe@jakarta.apache.org > > > > > > > > For additional commands, e-mail:=20 > > > > > > tomcat-user-help@jakarta.apache.org > > > > > > > >=20 > > > > > > >=20 > > > > > > >=20 > > > > > >=20 > > > > >=20 > > > >=20 > > >=20 > >=20 > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail:=20 > > > > tomcat-user-unsubscribe@jakarta.apache.org > > > > > > > For additional commands, e-mail:=20 > > > > > tomcat-user-help@jakarta.apache.org > > > > > > >=20 > > > > > > >=20 > > > > > >=20 > > > > > >=20 > > > > >=20 > > > >=20 > > >=20 > >=20 > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail:=20 > > > tomcat-user-unsubscribe@jakarta.apache.org > > > > > > For additional commands, e-mail:=20 > > > > tomcat-user-help@jakarta.apache.org > > > > > >=20 > > > > >=20 > > > > >=20 > > > >=20 > > >=20 > >=20 > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail:=20 > > tomcat-user-unsubscribe@jakarta.apache.org > > > > > For additional commands, e-mail:=20 > > > tomcat-user-help@jakarta.apache.org > > > > >=20 > > > > >=20 > > > >=20 > > > >=20 > > >=20 > >=20 > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail:=20 > tomcat-user-unsubscribe@jakarta.apache.org > > > > For additional commands, e-mail:=20 > > tomcat-user-help@jakarta.apache.org > > > >=20 > > >=20 > > >=20 > >=20 > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > > > For additional commands, e-mail:=20 > tomcat-user-help@jakarta.apache.org > > >=20 > > >=20 > >=20 > >=20 > --------------------------------------------------------------------- > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org > >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org >=20 >=20