tomcat-JSP-source.txt

tomcat-JSP-source.txt: Posted Sep 25, 2002; Authored by Rossen Raykov; A vulnerability found in default Apache Tomcat 4.x installation can be used to remotely disclose the source of served JSP files. The Tomcat developers fixed this issue in the Tomcat versions 4.0.5 and 4.1.12, which are available here.; SHA-256 | 2fef92ed7d59d75004c3b7399e643001f93de8ce9846efd4fb65db9ad40f1db1; Download | Favorite | View

tomcat-JSP-source.txt

        Tomcat 4.x JSP source exposure security advisory

1. Summary
Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet.

2. Details:
Let say you have valid URL like http://my.site/login.jsp, then an URL like
http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
will give you the source code of the JSP page.

The full syntaxes of the exposure URL is:

http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
/[context_relative_path/]file_name.jsp

For example to see the JSP source of Tomcat 4.1.10 admin application
http://localhost:8080/admin/index.jsp
execute
http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServ
let/index.jsp

3. Solution:
        3.1 Upgrade to the last releases 4.0.5 and 4.1.12
                See
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last
releases.

        3.2 Workaround:
There are at least two ways to protect from this vulnerability.
        A. Tomcat in tandem with HTTP server front-end:
                a. If you are using front-end HTTP server you can filter all
requests with the pattern
*/servlet/org.apache.catalina.servlets.DefaultServlet*
                b. If you are using mod_jk to connect tomcat to you
front-end server map to Tomcat only the URL's that are part from you
application but not all request. See the usage of JkMount directive.
        B. If you are using standalone Tomcat then add protection for this
location in all you application descriptors - web.xml. Simple example:

<security-constraint>
  <display-name>Default Servlet</display-name>
  <!-- Disable direct alls on the Default Servlet</web-resource-name -->
  <web-resource-collection>
    <web-resource-name>Disallowed Location</web-resource-name>
 
<url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-pat
tern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name></role-name>
  </auth-constraint>
</security-constraint>

        See the server's documentation for more details.

Regards,
Rossen Raykov

PS. Special thanks to the Tomcat development team for their quick response.

---
Rossen Raykov
COGNICASE U.S.A. Inc.
(908) 860-1100 Ext. 1140
Rossen.Raykov@CognicaseUSA.com

Top Authors In Last 30 Days

Red Hat 228 files
indoushka 159 files
Jay Turla 150 files
Ubuntu 65 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

tomcat-JSP-source.txt

tomcat-JSP-source.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

tomcat-JSP-source.txt

Share This

tomcat-JSP-source.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems