Ok. I have this problem but it isn't tomcat that is doing the serving of the JSP source. It is apache. This is my workers2.properties uri section:
[uri:www.SITENAME.org/*.jsp] group=lbWWW [uri:www.SITENAME.org/*.adp] group=lbWWW [uri:www.SITENAME.org/*.inc] group=lbWWW [uri:www.SITENAME.org/servlet/*] group=lbWWW [uri:www.SITENAME.org/*.gs] group=lbWWW I am guessing the problem is because http://www.SITENAME.org/index.jsp%20 is not a match for http://www.SITENAME.org/*.jsp (that trailing space messes stuff up. Should I just create a RedirectMatch for this case that removes all trailing whitespace? Would mod_rewrite be better for this? I am using this list for this question because I KNOW the apache list doesn't want tomcat integration questions. --Angus > -----Original Message----- > From: Jeff Tulley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 12, 2003 9:14 PM > To: [EMAIL PROTECTED] > Subject: Re: security hole on windows tomcat? > > > I've verified that this workaround stops the problem on Win XP's 1.4.2 > and on NetWare's 1.4.2 > > Jeff Tulley ([EMAIL PROTECTED]) > (801)861-5322 > Novell, Inc., The Leading Provider of Net Business Solutions > http://www.novell.com > > >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>> > Sorry I've just realize this thread may be related to bugtraq > #4895132 > > (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The > workaround > is to add the following property when starting Tomcat: > > -Dsun.io.useCanonCaches=false > > Can someone try it and let me know if it change something. If this is > not working, then point me to a very simple test case and I > will file a > > new bugtraq bug. > > -- Jeanfrancois > > > Eric J. Pinnell wrote: > > >I think at this point this might be a worthwile canidate for Sun's > >bugparade. At least get it on their radars (if they don't know about > it > >already). It's interesting that the bug doesn't show up in Tomcat > 4.1.27. > >When 1.4.2 was released 4.1.24 was the latest stable build. > > > >Regardless the JDK/appserver/whatever should never puke it's guts and > spit > >out the source code when it gets a request it doesn't know how to > deal > >with. Upon failure it should result in some kind of error. Sun > might > >care about this... > > > >-e > > > >On Tue, 12 Aug 2003, Jeff Tulley wrote: > > > > > > > >>It is highly possible that this is dependent on the JVM you have > >>installed. I actually finally WAS able to see this on Windows XP, > but > >>only if Tomcat was running on JVM 1.4.2. The problem did NOT happen > >>with 1.4.1. Of course, JVM version is the one item I left off of my > >>"poll" in my email below. :) > >> > >>I'm trying to verify this on other OS's and track down what the > actual > >>problem is. > >> > >>But, if you run Tomcat on JVM 1.4.2, verify if you have this > problem. > >> > >>Jeff Tulley ([EMAIL PROTECTED]) > >>(801)861-5322 > >>Novell, Inc., The Leading Provider of Net Business Solutions > >>http://www.novell.com > >> > >> > >> > >>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>> > >>>>> > >>>>> > >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost > via > >>either port 8080 or port 80 - pages return fine without the %20 > >>suffix, > >>always return http 404 with the suffix. > >> > >>Murray > >>-----Original Message----- > >>From: Jeff Tulley [mailto:[EMAIL PROTECTED] > >>Sent: Wednesday, 13 August 2003 02:41 > >>To: [EMAIL PROTECTED] > >>Subject: RE: security hole on windows tomcat? > >> > >> > >>So this issue is confusing. It seems that indeed there IS an issue, > >>though most cannot see a problem. > >>Talking to some people off-list, it seems that some think it is a > JK2 > >>/ > >>workers2.properties issue. But I'm pretty sure that others have > seen > >>this going directly to port 8080. > >>We probably need to take a quick poll: > >> > >>If you have seen this security problem of being able to view JSP > >>source, in what scenario(s)? > >> > >>Tomcat version > >>OS version > >>Directly to Tomcat ("8080") or through Apache - JK or JK2? > >>(If you've seen the problem, please include your workers or > >>workers2.properties file, with a .txt extension) > >>Browser version(s) > >>url's where this was seen or not seen > >> > >>If you have seen this in multiple scenarios, and not in others, > please > >>list each separately. > >> > >> > >>I have NOT seen it in the following scenarios: > >> > >>Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 > >>Windows 2000 5.00.2195 Service Pack 4 > >>Directly to port 8080 > >>Internet Explorer 6.0.2800.1106 with all security patches up to date > >>I tried http://(url):8080/index.jsp%20 > >> > >>Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only > >>adding one JNDIRealm beyond the default config) > >>Novell NetWare 6.5 > >>Directly to port 8080, and through Apache - mod_jk.nlm > >>Internet Explorer 6.0.2800.1106 with all security patches up to date > >>I tried http://(url):8080/index.jsp%20 and > >>https://(url)/tomcat/admin/index.jsp%20 > >> > >> > >>Hopefully this mail gets through; I haven't been seeing my emails > show > >>up on tomcat-user for some reason (I un/resubscribed today...) > >> > >>It would be really good to get to the bottom of this! > >> > >>Jeff Tulley ([EMAIL PROTECTED]) > >>(801)861-5322 > >>Novell, Inc., The Leading Provider of Net Business Solutions > >>http://www.novell.com > >> > >> > >> > >>>>>[EMAIL PROTECTED] 8/12/03 6:02:55 AM >>> > >>>>> > >>>>> > >>can you turn on debugging for the default servlet(conf/web.xml) and > >>also > >>turn on the requestdumpervalve(server.xml) and post the log. > >> > >> > >>------------------------------------------------------------ > --------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > >>------------------------------------------------------------ > --------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > > >> > >> > >>------------------------------------------------------------ > --------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > > >> > >> > >> > >> > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]