Re: JSP source code exposure in Tomcat 4.x
3.2 Workaround: There are at least two ways to protect from this vulnerability. A. Tomcat in tandem with HTTP server front-end: If you are using front-end HTTP server you can filter all requests with the pattern */servlet/org.apache.catalina.servlets.DefaultServlet* b. If you are using mod_jk to connect tomcat to you front-end server map to Tomcat only the URL's that are part from you application but not all request. See the usage of JkMount directive. Anyone can post an example of how either A or B can be done? Does it matter which method is used? -- carrie s. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JSP source code exposure in Tomcat 4.x
Tomcat 4.x JSP source exposure security advisory 1. Summary Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. 2. Details: Let say you have valid URL like http://my.site/login.jsp, then an URL like http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp will give you the source code of the JSP page. The full syntaxes of the exposure URL is: http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet /[context_relative_path/]file_name.jsp For example to see the JSP source of Tomcat 4.1.10 admin application http://localhost:8080/admin/index.jsp execute http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServ let/index.jsp 3. Solution: 3.1 Upgrade to the last releases 4.0.5 and 4.1.12 See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases. 3.2 Workaround: There are at least two ways to protect from this vulnerability. A. Tomcat in tandem with HTTP server front-end: a. If you are using front-end HTTP server you can filter all requests with the pattern */servlet/org.apache.catalina.servlets.DefaultServlet* b. If you are using mod_jk to connect tomcat to you front-end server map to Tomcat only the URL's that are part from you application but not all request. See the usage of JkMount directive. B. If you are using standalone Tomcat then add protection for this location in all you application descriptors - web.xml. Simple example: security-constraint display-nameDefault Servlet/display-name !-- Disable direct alls on the Default Servlet/web-resource-name -- web-resource-collection web-resource-nameDisallowed Location/web-resource-name url-pattern/servlet/org.apache.catalina.servlets.DefaultServlet/*/url-pat tern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint See the server's documentation for more details. Regards, Rossen Raykov PS. Special thanks to the Tomcat development team for their quick response. --- Rossen Raykov COGNICASE U.S.A. Inc. (908) 860-1100 Ext. 1140 [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JSP source code exposure in Tomcat 4.x
Rossen Raykov wrote: Tomcat 4.x JSP source exposure security advisory 1. Summary Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. --= [ cut ] =-- 3. Solution: 3.1 Upgrade to the last releases 4.0.5 and 4.1.12 See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases. I'm a newbie to Tomcat and JSP at all, so I have a question: can this upgrade be done by using new binaries only, not by upgrading an entire distribution including configs? I don't want to overwrite my configure files, because it took some time for me to understand its structure and meaning. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JSP source code exposure in Tomcat 4.x
Veniamin Fichin wrote: Rossen Raykov wrote: Tomcat 4.x JSP source exposure security advisory 1. Summary Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. --= [ cut ] =-- 3. Solution: 3.1 Upgrade to the last releases 4.0.5 and 4.1.12 See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases. I'm a newbie to Tomcat and JSP at all, so I have a question: can this upgrade be done by using new binaries only, not by upgrading an entire distribution including configs? I don't want to overwrite my configure files, because it took some time for me to understand its structure and meaning. No, you do not need to upgrade. Read the advisory I posted earlier, or the news item posted on the Jakarta website. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]