Re: FW: Tomcat may reveal script source code by URL trickery 2

2001-04-04 Thread Stephan Seyboth 

On Tue, Apr 03, 2001 at 04:04:46PM -0700, Jon Stevens wrote:
 
 --
 From: "Sverre H. Huseby" [EMAIL PROTECTED]
 Reply-To: "Sverre H. Huseby" [EMAIL PROTECTED]
 Date: Tue, 3 Apr 2001 10:25:26 +0200
 To: [EMAIL PROTECTED]
 Subject: Tomcat may reveal script source code by URL trickery 2

[...]

 Systems affected
 
 
 Tomcat 4.0-b2, which includes fixes for a similar bug.  Other versions
 before 4.0-b3 may be vulnerable too.
 
 The Tomcat team was notified on 2001-04-01, and they provided a fix on
 2001-04-03.  Everybody should upgrade to at least Tomcat 4.0 beta 3.

As far as I understand and can verify by testing, both Tomcat 3.2.1
and 3.2.2b2 are vulnerable to variations of this attack. What is the
correct solution for people using 3.2.1, since that is the recommended
release for production use?

$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 
i386; java.vendor=Caldera Systems Inc.)

[numguess.jsp source follows]

$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp%00
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.3.0; 
Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)

[numguess.jsp source follows]

Also could someone more familiar with the Tomcat code explain the
problem in more detail? I'm still new to Tomcat, so a pointer to
the relevant parts of the source would be very much appreciated.

Thanks

-- 
Stephan Seyboth - Developer
Caldera (Deutschland) GmbH
http://www.caldera.de/

FW: Tomcat may reveal script source code by URL trickery 2

2001-04-03 Thread Jon Stevens 


--
From: "Sverre H. Huseby" [EMAIL PROTECTED]
Reply-To: "Sverre H. Huseby" [EMAIL PROTECTED]
Date: Tue, 3 Apr 2001 10:25:26 +0200
To: [EMAIL PROTECTED]
Subject: Tomcat may reveal script source code by URL trickery 2

Meta comment


Ok, I know there has already been a report on this problem on Bugtraq,
but as I informed the Tomcat people before the CHINANSL advisory
appeared here, I want to brag about it anyway.  :)

Also, the Tomcat'ers have provided a fix as mentioned in this
advisory.



==

Tomcat may reveal script source code by URL trickery 2
--

Sverre H. Huseby security advisory #4, 2001-04-03



Systems affected


Tomcat 4.0-b2, which includes fixes for a similar bug.  Other versions
before 4.0-b3 may be vulnerable too.

The Tomcat team was notified on 2001-04-01, and they provided a fix on
2001-04-03.  Everybody should upgrade to at least Tomcat 4.0 beta 3.


Description
---

Tomcat (http://jakarta.apache.org/tomcat/), the Reference
Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
Technologies, may be tricked into revealing the source code of JSP
scripts by using simple URL encoding.


Details
---

It seems that the built in web server in affected versions of Tomcat
does URL decoding twice.  URLs like the following

  http://someplace.com:8080/index.js%2570

where %25 is an URL encoded '%', and 70 is the hexadecimal value for
'p', returns the source code of index.jsp rather than running the
script on the server side.

To speculate (read: guess): The JSP handler is skipped as this URL
does not end in ".jsp" (after URL decoding the first time), but the
static file handler is nevertheless able to map the URL into a correct
file name (doing URL decoding a second time).


Impact
--

This design error makes it possible to fetch the source code of JSP
scripts.  Such source code may contain database passwords and file
names, and may reveal design errors or programming bugs that make it
possible to further exploit the server or service.



Reported by Sverre H. Huseby, [EMAIL PROTECTED]

--
URL:mailto:[EMAIL PROTECTED]
URL:http://shh.thathost.com/