I ONLY see the problem in apache. So I think it is a config problem. Will the jk2 URI : [uri:www.SITENAME.org/*.jsp] catch www.SITENAME.org/index.jsp%20 ? When I turn on the accessvalve tomcat doesn't see this request.
> -----Original Message----- > From: Jeff Tulley [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2003 11:24 AM > To: [EMAIL PROTECTED] > Subject: RE: security hole on windows Apache -> Tomcat? > > > Yes, but all Apache does is redirect the request to Tomcat > for handling. > Tomcat itself decides whether to compile the JSP or serve > the file as a > "static file" (and hence, show the source). I saw this problem both > directly to Tomcat (8080), and through Apache integration, until I did > the workaround. > > There IS somebody on the Tomcat development list who still has the > problem -- he is running Tomcat as a Windows Service, with Apache > integration, and the workaround doesn't seem to work. I cannot > duplicate since I don't run it as a service or use mod_jk2 like he is. > > Are you sure you still see this with the workaround? It went away for > me even with my apache-served urls. Also, is backrevving the JVM to > 1.4.1 an option for you? I'd try that and see if that fixes the > problem. > > The behaviour of your site WAS exactly the same as mine once > I was able > to get the problem to happen on my box, so it seems like we are all > seeing the same thing. > > Jeff Tulley ([EMAIL PROTECTED]) > (801)861-5322 > Novell, Inc., The Leading Provider of Net Business Solutions > http://www.novell.com > > >>> [EMAIL PROTECTED] 8/13/03 6:53:39 AM >>> > Ok. I have this problem but it isn't tomcat that is doing the serving > of the JSP source. It is apache. This is my workers2.properties uri > section: > > > [uri:www.SITENAME.org/*.jsp] > group=lbWWW > [uri:www.SITENAME.org/*.adp] > group=lbWWW > [uri:www.SITENAME.org/*.inc] > group=lbWWW > [uri:www.SITENAME.org/servlet/*] > group=lbWWW > [uri:www.SITENAME.org/*.gs] > group=lbWWW > > > I am guessing the problem is because > http://www.SITENAME.org/index.jsp%20 is not a match for > http://www.SITENAME.org/*.jsp (that trailing space messes stuff up. > Should I just create a RedirectMatch for this case that removes all > trailing whitespace? Would mod_rewrite be better for this? I am > using > this list for this question because I KNOW the apache list doesn't > want > tomcat integration questions. > --Angus > > > > -----Original Message----- > > From: Jeff Tulley [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 12, 2003 9:14 PM > > To: [EMAIL PROTECTED] > > Subject: Re: security hole on windows tomcat? > > > > > > I've verified that this workaround stops the problem on Win XP's > 1.4.2 > > and on NetWare's 1.4.2 > > > > Jeff Tulley ([EMAIL PROTECTED]) > > (801)861-5322 > > Novell, Inc., The Leading Provider of Net Business Solutions > > http://www.novell.com > > > > >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>> > > Sorry I've just realize this thread may be related to bugtraq > > #4895132 > > > > (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The > > workaround > > is to add the following property when starting Tomcat: > > > > -Dsun.io.useCanonCaches=false > > > > Can someone try it and let me know if it change something. > If this is > > > not working, then point me to a very simple test case and I > > will file a > > > > new bugtraq bug. > > > > -- Jeanfrancois > > > > > > Eric J. Pinnell wrote: > > > > >I think at this point this might be a worthwile canidate for Sun's > > >bugparade. At least get it on their radars (if they don't know > about > > it > > >already). It's interesting that the bug doesn't show up in Tomcat > > 4.1.27. > > >When 1.4.2 was released 4.1.24 was the latest stable build. > > > > > >Regardless the JDK/appserver/whatever should never puke it's guts > and > > spit > > >out the source code when it gets a request it doesn't know how to > > deal > > >with. Upon failure it should result in some kind of error. Sun > > might > > >care about this... > > > > > >-e > > > > > >On Tue, 12 Aug 2003, Jeff Tulley wrote: > > > > > > > > > > > >>It is highly possible that this is dependent on the JVM you have > > >>installed. I actually finally WAS able to see this on Windows XP, > > but > > >>only if Tomcat was running on JVM 1.4.2. The problem did NOT > happen > > >>with 1.4.1. Of course, JVM version is the one item I left off of > my > > >>"poll" in my email below. :) > > >> > > >>I'm trying to verify this on other OS's and track down what the > > actual > > >>problem is. > > >> > > >>But, if you run Tomcat on JVM 1.4.2, verify if you have this > > problem. > > >> > > >>Jeff Tulley ([EMAIL PROTECTED]) > > >>(801)861-5322 > > >>Novell, Inc., The Leading Provider of Net Business Solutions > > >>http://www.novell.com > > >> > > >> > > >> > > >>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>> > > >>>>> > > >>>>> > > >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost > > via > > >>either port 8080 or port 80 - pages return fine without the %20 > > >>suffix, > > >>always return http 404 with the suffix. > > >> > > >>Murray > > >>-----Original Message----- > > >>From: Jeff Tulley [mailto:[EMAIL PROTECTED] > > >>Sent: Wednesday, 13 August 2003 02:41 > > >>To: [EMAIL PROTECTED] > > >>Subject: RE: security hole on windows tomcat? > > >> > > >> > > >>So this issue is confusing. It seems that indeed there IS an > issue, > > >>though most cannot see a problem. > > >>Talking to some people off-list, it seems that some think it is a > > JK2 > > >>/ > > >>workers2.properties issue. But I'm pretty sure that others have > > seen > > >>this going directly to port 8080. > > >>We probably need to take a quick poll: > > >> > > >>If you have seen this security problem of being able to view JSP > > >>source, in what scenario(s)? > > >> > > >>Tomcat version > > >>OS version > > >>Directly to Tomcat ("8080") or through Apache - JK or JK2? > > >>(If you've seen the problem, please include your workers or > > >>workers2.properties file, with a .txt extension) > > >>Browser version(s) > > >>url's where this was seen or not seen > > >> > > >>If you have seen this in multiple scenarios, and not in others, > > please > > >>list each separately. > > >> > > >> > > >>I have NOT seen it in the following scenarios: > > >> > > >>Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 > > >>Windows 2000 5.00.2195 Service Pack 4 > > >>Directly to port 8080 > > >>Internet Explorer 6.0.2800.1106 with all security patches up to > date > > >>I tried http://(url):8080/index.jsp%20 > > >> > > >>Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only > > >>adding one JNDIRealm beyond the default config) > > >>Novell NetWare 6.5 > > >>Directly to port 8080, and through Apache - mod_jk.nlm > > >>Internet Explorer 6.0.2800.1106 with all security patches up to > date > > >>I tried http://(url):8080/index.jsp%20 and > > >>https://(url)/tomcat/admin/index.jsp%20 > > >> > > >> > > >>Hopefully this mail gets through; I haven't been seeing my emails > > show > > >>up on tomcat-user for some reason (I un/resubscribed today...) > > >> > > >>It would be really good to get to the bottom of this! > > >> > > >>Jeff Tulley ([EMAIL PROTECTED]) > > >>(801)861-5322 > > >>Novell, Inc., The Leading Provider of Net Business Solutions > > >>http://www.novell.com > > >> > > >> > > >> > > >>>>>[EMAIL PROTECTED] 8/12/03 6:02:55 AM >>> > > >>>>> > > >>>>> > > >>can you turn on debugging for the default servlet(conf/web.xml) > and > > >>also > > >>turn on the requestdumpervalve(server.xml) and post the log. > > >> > > >> > > >>------------------------------------------------------------ > > --------- > > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >>For additional commands, e-mail: > [EMAIL PROTECTED] > > >> > > >> > > >> > > >> > > >>------------------------------------------------------------ > > --------- > > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >>For additional commands, e-mail: > [EMAIL PROTECTED] > > > > >> > > >> > > >>------------------------------------------------------------ > > --------- > > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >>For additional commands, e-mail: > [EMAIL PROTECTED] > > > > >> > > >> > > >> > > >> > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
