---------- From: "Sverre H. Huseby" <[EMAIL PROTECTED]> Date: Mon, 2 Apr 2001 21:03:30 +0200 To: [EMAIL PROTECTED] Subject: [[EMAIL PROTECTED]: Tomcat may reveal script source code by URL trickery 2] Jon, I sent the following to [EMAIL PROTECTED] a few days ago, as you requested. Now I wonder if it reached the correct people. I see that you cite "lovehacker" on the Tomcat developer list, even if his advisory appeared on Bugtraq a day after I sent mine to you. At least it showed up a day after in my mailbox. Comments? Sverre. ----- Forwarded message from "Sverre H. Huseby" <[EMAIL PROTECTED]> ----- From: "Sverre H. Huseby" <[EMAIL PROTECTED]> Subject: Tomcat may reveal script source code by URL trickery 2 Date: Sun, 1 Apr 2001 11:55:00 +0200 To: [EMAIL PROTECTED] User-Agent: Mutt/1.2.5i NOTE! This is not the same advisory that I sent you some days ago. Your fix for that advisory introduced a new bug, which is described here. I'm sending you this before contacting Bugtraq this time. Please tell me when you have a fix ready. Sverre. ===================================================================== Tomcat may reveal script source code by URL trickery 2 ------------------------------------------------------ Sverre H. Huseby security advisory #4, 2001-04-01 Systems affected ---------------- Tomcat 4.0-b2, which includes fixes for a similar bug. Other versions may be vulnerable too. The problem is only present when using Tomcat's built in web server, not when using Tomcat with Apache Web Server. Description ----------- Tomcat (http://jakarta.apache.org/tomcat/), the Reference Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1 Technologies, may be tricked into revealing the source code of JSP scripts by using simple URL encoding. Details ------- It seems that the built in web server in affected versions of Tomcat does URL decoding twice. URLs like the following http://someplace.com:8080/index.js%2570 where %25 is an URL encoded '%', and 70 is the hexadecimal value for 'p', returns the source code of index.jsp rather than running the script on the server side. To speculate (read: guess): The JSP handler is skipped as this URL does not end in ".jsp" (after URL decoding the first time), but the static file handler is nevertheless able to map the URL into a correct file name (doing URL decoding a second time). Impact ------ This design error makes it possible to fetch the source code of JSP scripts. Such source code may contain database passwords and file names, and may reveal design errors or programming bugs that make it possible to further exploit the server or service. Reported by Sverre H. Huseby, [EMAIL PROTECTED] -- <URL:mailto:[EMAIL PROTECTED]> <URL:http://shh.thathost.com/> ----- End forwarded message ----- -- <URL:mailto:[EMAIL PROTECTED]> <URL:http://shh.thathost.com/>
