Yes, but all Apache does is redirect the request to Tomcat for handling. Tomcat itself decides whether to compile the JSP or serve the file as a "static file" (and hence, show the source). I saw this problem both directly to Tomcat (8080), and through Apache integration, until I did the workaround.
There IS somebody on the Tomcat development list who still has the problem -- he is running Tomcat as a Windows Service, with Apache integration, and the workaround doesn't seem to work. I cannot duplicate since I don't run it as a service or use mod_jk2 like he is. Are you sure you still see this with the workaround? It went away for me even with my apache-served urls. Also, is backrevving the JVM to 1.4.1 an option for you? I'd try that and see if that fixes the problem. The behaviour of your site WAS exactly the same as mine once I was able to get the problem to happen on my box, so it seems like we are all seeing the same thing. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/13/03 6:53:39 AM >>> Ok. I have this problem but it isn't tomcat that is doing the serving of the JSP source. It is apache. This is my workers2.properties uri section: [uri:www.SITENAME.org/*.jsp] group=lbWWW [uri:www.SITENAME.org/*.adp] group=lbWWW [uri:www.SITENAME.org/*.inc] group=lbWWW [uri:www.SITENAME.org/servlet/*] group=lbWWW [uri:www.SITENAME.org/*.gs] group=lbWWW I am guessing the problem is because http://www.SITENAME.org/index.jsp%20 is not a match for http://www.SITENAME.org/*.jsp (that trailing space messes stuff up. Should I just create a RedirectMatch for this case that removes all trailing whitespace? Would mod_rewrite be better for this? I am using this list for this question because I KNOW the apache list doesn't want tomcat integration questions. --Angus > -----Original Message----- > From: Jeff Tulley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 12, 2003 9:14 PM > To: [EMAIL PROTECTED] > Subject: Re: security hole on windows tomcat? > > > I've verified that this workaround stops the problem on Win XP's 1.4.2 > and on NetWare's 1.4.2 > > Jeff Tulley ([EMAIL PROTECTED]) > (801)861-5322 > Novell, Inc., The Leading Provider of Net Business Solutions > http://www.novell.com > > >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>> > Sorry I've just realize this thread may be related to bugtraq > #4895132 > > (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The > workaround > is to add the following property when starting Tomcat: > > -Dsun.io.useCanonCaches=false > > Can someone try it and let me know if it change something. If this is > not working, then point me to a very simple test case and I > will file a > > new bugtraq bug. > > -- Jeanfrancois > > > Eric J. Pinnell wrote: > > >I think at this point this might be a worthwile canidate for Sun's > >bugparade. At least get it on their radars (if they don't know about > it > >already). It's interesting that the bug doesn't show up in Tomcat > 4.1.27. > >When 1.4.2 was released 4.1.24 was the latest stable build. > > > >Regardless the JDK/appserver/whatever should never puke it's guts and > spit > >out the source code when it gets a request it doesn't know how to > deal > >with. Upon failure it should result in some kind of error. Sun > might > >care about this... > > > >-e > > > >On Tue, 12 Aug 2003, Jeff Tulley wrote: > > > > > > > >>It is highly possible that this is dependent on the JVM you have > >>installed. I actually finally WAS able to see this on Windows XP, > but > >>only if Tomcat was running on JVM 1.4.2. The problem did NOT happen > >>with 1.4.1. Of course, JVM version is the one item I left off of my > >>"poll" in my email below. :) > >> > >>I'm trying to verify this on other OS's and track down what the > actual > >>problem is. > >> > >>But, if you run Tomcat on JVM 1.4.2, verify if you have this > problem. > >> > >>Jeff Tulley ([EMAIL PROTECTED]) > >>(801)861-5322 > >>Novell, Inc., The Leading Provider of Net Business Solutions > >>http://www.novell.com > >> > >> > >> > >>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>> > >>>>> > >>>>> > >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost > via > >>either port 8080 or port 80 - pages return fine without the %20 > >>suffix, > >>always return http 404 with the suffix. > >> > >>Murray > >>-----Original Message----- > >>From: Jeff Tulley [mailto:[EMAIL PROTECTED] > >>Sent: Wednesday, 13 August 2003 02:41 > >>To: [EMAIL PROTECTED] > >>Subject: RE: security hole on windows tomcat? > >> > >> > >>So this issue is confusing. It seems that indeed there IS an issue, > >>though most cannot see a problem. > >>Talking to some people off-list, it seems that some think it is a > JK2 > >>/ > >>workers2.properties issue. But I'm pretty sure that others have > seen > >>this going directly to port 8080. > >>We probably need to take a quick poll: > >> > >>If you have seen this security problem of being able to view JSP > >>source, in what scenario(s)? > >> > >>Tomcat version > >>OS version > >>Directly to Tomcat ("8080") or through Apache - JK or JK2? > >>(If you've seen the problem, please include your workers or > >>workers2.properties file, with a .txt extension) > >>Browser version(s) > >>url's where this was seen or not seen > >> > >>If you have seen this in multiple scenarios, and not in others, > please > >>list each separately. > >> > >> > >>I have NOT seen it in the following scenarios: > >> > >>Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 > >>Windows 2000 5.00.2195 Service Pack 4 > >>Directly to port 8080 > >>Internet Explorer 6.0.2800.1106 with all security patches up to date > >>I tried http://(url):8080/index.jsp%20 > >> > >>Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only > >>adding one JNDIRealm beyond the default config) > >>Novell NetWare 6.5 > >>Directly to port 8080, and through Apache - mod_jk.nlm > >>Internet Explorer 6.0.2800.1106 with all security patches up to date > >>I tried http://(url):8080/index.jsp%20 and > >>https://(url)/tomcat/admin/index.jsp%20 > >> > >> > >>Hopefully this mail gets through; I haven't been seeing my emails > show > >>up on tomcat-user for some reason (I un/resubscribed today...) > >> > >>It would be really good to get to the bottom of this! > >> > >>Jeff Tulley ([EMAIL PROTECTED]) > >>(801)861-5322 > >>Novell, Inc., The Leading Provider of Net Business Solutions > >>http://www.novell.com > >> > >> > >> > >>>>>[EMAIL PROTECTED] 8/12/03 6:02:55 AM >>> > >>>>> > >>>>> > >>can you turn on debugging for the default servlet(conf/web.xml) and > >>also > >>turn on the requestdumpervalve(server.xml) and post the log. > >> > >> > >>------------------------------------------------------------ > --------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > >>------------------------------------------------------------ > --------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > > >> > >> > >>------------------------------------------------------------ > --------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > > >> > >> > >> > >> > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
