RE: FW: Tomcat may reveal script source code by URL trickery

Fri, 30 Mar 2001 10:36:16 -0800 

Tomcat 3.1.x and 3.2.x do not suffer from this problem.

> -----Original Message-----
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Friday, March 30, 2001 12:26 PM
> To: [EMAIL PROTECTED]
> Subject: Re: FW: Tomcat may reveal script source code by URL trickery
>
>
>
>
> On Fri, 30 Mar 2001, Renzo Toma wrote:
>
> >
> > Just in case you missed it.
> >
>
> I'm working on this ... (compiling as I type).
>
> Craig
>
>
> > -----Original Message-----
> > From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of Sverre
> > H. Huseby
> > Sent: donderdag 29 maart 2001 10:12
> > To: [EMAIL PROTECTED]
> > Subject: Tomcat may reveal script source code by URL trickery
> >
> >
> > Tomcat may reveal script source code by URL trickery
> > ----------------------------------------------------
> >
> > Sverre H. Huseby advisory 2001-03-29
> >
> >
> >
> > Systems affected
> > ----------------
> >
> > Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> > tested.  Other versions may be vulnerable too.  The problem is only
> > present when using Tomcat's built in web server, not when using Tomcat
> > with Apache Web Server.
> >
> >
> > Description
> > -----------
> >
> > Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> > Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> > Technologies, may be tricked into revealing the source code of JSP
> > scripts by using simple URL encoding.
> >
> >
> > Details
> > -------
> >
> > It seems that the built in web server in Tomcat does URL decoding in
> > an unreasonable order.  URLs like the following
> >
> >   http://XXX:8080/examples/jsp/num/numguess.js%70
> >
> > where %70 is an URL encoded 'p', returns the source code of index.jsp
> > rather than running the script on the server side.
> >
> > To speculate: The JSP handler is skipped as this URL does not end in
> > ".jsp", but the static file handler is nevertheless able to map the
> > URL into a correct file name.
> >
> >
> > Impact
> > ------
> >
> > This design error makes it possible to fetch the source code of JSP
> > scripts.  Such source code may contain database passwords and file
> > names, and may reveal design errors or programming bugs that make it
> > possible to further exploit the server or service.
> >
> >
> >
> > Reported by Sverre H. Huseby, [EMAIL PROTECTED]
> >
> > --
> > <URL:mailto:[EMAIL PROTECTED]>
> > <URL:http://shh.thathost.com/>
> >
> >

Reply via email to