Re: Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
Verified on Win XP as well. Using that flag fixes the problem. Thanks for making that connection! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/12/03 7:02:01 PM >>> Oups I've missed the discussion . There is a 1.4.2 bug found by Remy (and reported in bugtraq as 4895132. I'm not sure you can access the bug). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can you try it and see if that fixe the problem (I don't have a winXX)? -- Jeanfrancois Jeff Tulley wrote: >The user list has been busy lately discussing a possible security hole, >but only 1/3 of the people in the thread could see the problem. I >finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2, >but NOT with JVM 1.4.1. > >The vulnerability is that if you stick a "%20" on the end of a .jsp >url, you get the source. > >I forgot to mention the platforms where this has been seen. I have >seen this with Sun's JVM 1.4.2 on Windows XP, and now I just verified >that it also exists on NetWare's JVM 1.4.2 (built on Sun's source code >base, so not surprising) It might exist on other 1.4.2 implementations, >but I am not sure. > >I also just verified this on Tomcat 4.1.18 and 4.1.26 as well. > >For some reason I see it better with the example jsp's - >/examples/jsp/num/numbguess.jsp%20 for instance. But, you can tell the >problem is going to be there if, when you add the "%20" to the .jsp >name, you don't get a 404. This is all going directly to port 8080, so >no native connector is involved. > >Jeff Tulley ([EMAIL PROTECTED]) >(801)861-5322 >Novell, Inc., The Leading Provider of Net Business Solutions >http://www.novell.com > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
Oups I've missed the discussion . There is a 1.4.2 bug found by Remy (and reported in bugtraq as 4895132. I'm not sure you can access the bug). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can you try it and see if that fixe the problem (I don't have a winXX)? -- Jeanfrancois Jeff Tulley wrote: The user list has been busy lately discussing a possible security hole, but only 1/3 of the people in the thread could see the problem. I finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2, but NOT with JVM 1.4.1. The vulnerability is that if you stick a "%20" on the end of a .jsp url, you get the source. I forgot to mention the platforms where this has been seen. I have seen this with Sun's JVM 1.4.2 on Windows XP, and now I just verified that it also exists on NetWare's JVM 1.4.2 (built on Sun's source code base, so not surprising) It might exist on other 1.4.2 implementations, but I am not sure. I also just verified this on Tomcat 4.1.18 and 4.1.26 as well. For some reason I see it better with the example jsp's - /examples/jsp/num/numbguess.jsp%20 for instance. But, you can tell the problem is going to be there if, when you add the "%20" to the .jsp name, you don't get a 404. This is all going directly to port 8080, so no native connector is involved. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
Jeff Tulley wrote: Verified on Win XP as well. Using that flag fixes the problem. Thanks for making that connection! I've still got the problem when using the mod_jk2 connector. I'm using Tomcat 4.1.27 w/ patch on Windows 2000 SP4, behind an Apache 2.0.47 web server, with the J2SE 1.4.2. The mod_jk2 binary I'm using comes from Tomcat 4.1.24 (I built it from source). I added those keys in thr registry for the Tomcat service, and restarted it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache Tomcat 4.1\Parameters] "JVM Option Count"=dword:0005 "JVM Option Number 3"="-Dfile.encoding=ISO-8859-1" "JVM Option Number 4"="-Dsun.io.useCanonCaches=false" When I access Tomcat directly using port 8080, the option does work, and *.jsp%20 returns a 404. However, when accessing the same through Apache, I still get the JSP code: [13/Aug/2003:13:54:16 +0200] xx.xx.xx.xx TLSv1 DHE-RSA-AES256-SHA "GET /myApp/index.jsp%20 HTTP/1.1" 1534 Did I miss something? TIA, Laurent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.1.24 & JVM 1.4.2 security hole?
The user list has been busy lately discussing a possible security hole, but only 1/3 of the people in the thread could see the problem. I finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2, but NOT with JVM 1.4.1. The vulnerability is that if you stick a "%20" on the end of a .jsp url, you get the source. I have not tried this with Tomcat versions later than 4.1.24 once I actually saw the problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
Fixes it on NetWare. I'll go try WinXP Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/12/03 7:02:01 PM >>> Oups I've missed the discussion . There is a 1.4.2 bug found by Remy (and reported in bugtraq as 4895132. I'm not sure you can access the bug). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can you try it and see if that fixe the problem (I don't have a winXX)? -- Jeanfrancois Jeff Tulley wrote: >The user list has been busy lately discussing a possible security hole, >but only 1/3 of the people in the thread could see the problem. I >finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2, >but NOT with JVM 1.4.1. > >The vulnerability is that if you stick a "%20" on the end of a .jsp >url, you get the source. > >I forgot to mention the platforms where this has been seen. I have >seen this with Sun's JVM 1.4.2 on Windows XP, and now I just verified >that it also exists on NetWare's JVM 1.4.2 (built on Sun's source code >base, so not surprising) It might exist on other 1.4.2 implementations, >but I am not sure. > >I also just verified this on Tomcat 4.1.18 and 4.1.26 as well. > >For some reason I see it better with the example jsp's - >/examples/jsp/num/numbguess.jsp%20 for instance. But, you can tell the >problem is going to be there if, when you add the "%20" to the .jsp >name, you don't get a 404. This is all going directly to port 8080, so >no native connector is involved. > >Jeff Tulley ([EMAIL PROTECTED]) >(801)861-5322 >Novell, Inc., The Leading Provider of Net Business Solutions >http://www.novell.com > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
The user list has been busy lately discussing a possible security hole, but only 1/3 of the people in the thread could see the problem. I finally got to where I could see it using Tomcat 4.1.24 and JVM 1.4.2, but NOT with JVM 1.4.1. The vulnerability is that if you stick a "%20" on the end of a .jsp url, you get the source. I forgot to mention the platforms where this has been seen. I have seen this with Sun's JVM 1.4.2 on Windows XP, and now I just verified that it also exists on NetWare's JVM 1.4.2 (built on Sun's source code base, so not surprising) It might exist on other 1.4.2 implementations, but I am not sure. I also just verified this on Tomcat 4.1.18 and 4.1.26 as well. For some reason I see it better with the example jsp's - /examples/jsp/num/numbguess.jsp%20 for instance. But, you can tell the problem is going to be there if, when you add the "%20" to the .jsp name, you don't get a 404. This is all going directly to port 8080, so no native connector is involved. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Resend: Tomcat 4.1.24 & JVM 1.4.2 security hole?
I wouldn't be able to try to duplicate this -- I do not use mod_jk2. On my system, with mod_jk it seems the problem is gone with the workaround. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/13/03 5:56:31 AM >>> Jeff Tulley wrote: > Verified on Win XP as well. Using that flag fixes the problem. Thanks > for making that connection! I've still got the problem when using the mod_jk2 connector. I'm using Tomcat 4.1.27 w/ patch on Windows 2000 SP4, behind an Apache 2.0.47 web server, with the J2SE 1.4.2. The mod_jk2 binary I'm using comes from Tomcat 4.1.24 (I built it from source). I added those keys in thr registry for the Tomcat service, and restarted it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache Tomcat 4.1\Parameters] "JVM Option Count"=dword:0005 "JVM Option Number 3"="-Dfile.encoding=ISO-8859-1" "JVM Option Number 4"="-Dsun.io.useCanonCaches=false" When I access Tomcat directly using port 8080, the option does work, and *.jsp%20 returns a 404. However, when accessing the same through Apache, I still get the JSP code: [13/Aug/2003:13:54:16 +0200] xx.xx.xx.xx TLSv1 DHE-RSA-AES256-SHA "GET /myApp/index.jsp%20 HTTP/1.1" 1534 Did I miss something? TIA, Laurent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]