Since version 2.2 the specification has been explicit that web containers
should not serve back anything that is in your WEB-INF/ archive entry in the
WAR as a result of a direct call from a client. The reason was to protect the
integrity of the web application. Some folks use the WEB-INF/ directory for
storing app specific configuration information which may be sensitive too.
They can of course retrieve this within a Servlet using the getResource() API
on the ServletContext.

I see you cross posted to the Tomcat team so they are aware of it - thanks -
I'm sure Craig has it under control.

- Danny


> Web applications running on Windows (or other systems with non case
> sensitive file systems) can have secure content accessed by
> using different case.  The problem is a design problem for
> security-constraints and an implementation problem for WEB-INF
>
> For example I have been able to access /WeB-iNf/web.xml on several
> public servers running tomcat/catalina on NT.  The current release
> of Jetty3 also is vulnerable and probably most other servlet
> containers.
>
> As URLs are case sensitive, the security constraints are bypassed
> by the different case request. However, once these requests are
> converted to real filenames or file URLs, the JVM is able to
> provide a file for them.
>
> The impact of this can be significant, as it allows unauthorized access
> to WEB-INF/web.xml.  Furthermore any code in WEB-INF/classes or
> WEB-INF/lib may be accessed and decompiled and inspected for other
> vulnerabilities.
>
> Also vulnerable are any servlets written using getResource or
> getRealPath APIs that pass/use pathInfo.  If these servlets are
> protected by a security constraint including alpha numeric
> characters, then they are vulnerable.
>
> For example, a security constraint of /secret/* will not
> protect a JSP like /secret/private.jsp.  As a request to
> /SeCrEt/private.jsp will correctly bypass the security
> constraint, while the JspServlet at *.jsp will be able to find a
> matching jsp source file using getRealPath and/or getResource.
> Which will be compiled and a result returned.  Note that
> both the security constraint and the JSP servlet are acting
> correctly for their given path specifications.
> NB. I have verified that jasper (3.1) is vulnerable to this attack.
>
> A general fix will be difficult to find, as many servlets use
> getRealPath and their own file handling.  Furthermore, the
> real case of a file cannot be determined easily (getCanonicalPath
> does not return the actual file's case on at least one popular
> JVM (sun JDK1.2.2 on linux accessing a remote NT file system).
> Thus a general check  for case matching cannot be made.
>
> I am currently of the opinion that design changes are needed in
> the security-constraint mechanism to at least allow case
> insensitive url-patterns to be used.
>
> A better solution would be to specify the behaviour of multiple
> security constraints, plus allow relaxing constraints.
> This may even be possible within the current web.dtd?
> If the most specific security constraint takes precedent (as it
> probably does), then a  reasonable solution can be reached by
> placing a restrictive constraint on / and then defining less
> restrictive constraints on more specific paths.  This may be
> a valid interpretation of the current specification, but if
> so, it needs to be clarified.
>
> Note that protection of the WEB-INF directory is separate
> to considerations of user defined security constraints, other
> than it probably shares a common implementation.  WEB-INF should be
> protected from case base access regardless of any action taken on
> security constraints.
>
> A final point is that this may show that it may not have
> been a good idea to place WEB-INF and all it's content
> within the document root.  Perhaps an alternate web application
> directory layout can be considered with a document root as
> a sibling or child rather than a parent of WEB-INF.
> eg. if WEB-INF/docroot exists, then it becomes the
> document root.
>
> regards
>
> PS. sorry if this has been raised before in these forums, but
> my searches could not find anything
>
> --
> Greg Wilkins<[EMAIL PROTECTED]>          GB  Phone: +44-(0)2074394045
> Mort Bay Consulting Australia and UK.    Mbl Phone: +44-(0)7775534369
> http://www.mortbay.com                   AU  Phone: +61-(0)2 99772395
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to