The URL would be: <http://donor.ucsd.edu:7873/ccdb/servlet/org.apache.catalina.servlets.De faultServlet/experiment/index.jsp>
And yes you are vulnerable ;-) Broken down: /ccdb - the context path of your webapp /servlet - the path mapped to the invoker servlet **this is the dangerous part** /org.apache.catalina.servlets.DefaultServlet - used by the invoker servlet to determine what servlet class to invoke /experiment/index.jsp - the context relative path to your JSP, served statically by the DefaultServlet -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 > -----Original Message----- > From: Mona Wong-Barnum [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 25, 2002 6:16 PM > To: [EMAIL PROTECTED] > Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source > disclosure vulnerability > > > > I tried to test this security vulnerability on my > tomcat 4.0.4 (alone) > setup but wasn't able to view my JSP files as claimed. > > According to > http://online.securityfocus.com/archive/1/292936/2002-09-21/20 02-09-27/0, if my JSP file is accessible via http://donor.ucsd.edu:7873/ccdb/experiment/index.jsp then I should be able to view my source. However, I tried 2 different URL (http://donor.ucsd.edu:7873/ccdb/experiment/org.apache.catalina.servlets .Default Servlet/index.jsp and http://donor.ucsd.edu:7873/org.apache.catalina.servlets.DefaultServlet/c cdb/expe riment/index.jsp) and all I got was a tomcat 404 error page. Has anyone actually been able to view their JSP source via this vulnerability? Mona -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
