You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Renzo Toma <re...@xs4all.nl> on 2001/03/30 12:32:12 UTC

FW: Tomcat may reveal script source code by URL trickery

Just in case you missed it.

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Sverre
H. Huseby
Sent: donderdag 29 maart 2001 10:12
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Tomcat may reveal script source code by URL trickery


Tomcat may reveal script source code by URL trickery
----------------------------------------------------

Sverre H. Huseby advisory 2001-03-29



Systems affected
----------------

Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
tested.  Other versions may be vulnerable too.  The problem is only
present when using Tomcat's built in web server, not when using Tomcat
with Apache Web Server.


Description
-----------

Tomcat (http://jakarta.apache.org/tomcat/), the Reference
Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
Technologies, may be tricked into revealing the source code of JSP
scripts by using simple URL encoding.


Details
-------

It seems that the built in web server in Tomcat does URL decoding in
an unreasonable order.  URLs like the following

  http://XXX:8080/examples/jsp/num/numguess.js%70

where %70 is an URL encoded 'p', returns the source code of index.jsp
rather than running the script on the server side.

To speculate: The JSP handler is skipped as this URL does not end in
".jsp", but the static file handler is nevertheless able to map the
URL into a correct file name.


Impact
------

This design error makes it possible to fetch the source code of JSP
scripts.  Such source code may contain database passwords and file
names, and may reveal design errors or programming bugs that make it
possible to further exploit the server or service.



Reported by Sverre H. Huseby, shh@thathost.com

--
<UR...@thathost.com>
<URL:http://shh.thathost.com/>

RE: FW: Tomcat may reveal script source code by URL trickery

Posted by Marc Saegesser <ma...@apropos.com>.
Tomcat 3.1.x and 3.2.x do not suffer from this problem.

> -----Original Message-----
> From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Sent: Friday, March 30, 2001 12:26 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: FW: Tomcat may reveal script source code by URL trickery
>
>
>
>
> On Fri, 30 Mar 2001, Renzo Toma wrote:
>
> >
> > Just in case you missed it.
> >
>
> I'm working on this ... (compiling as I type).
>
> Craig
>
>
> > -----Original Message-----
> > From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Sverre
> > H. Huseby
> > Sent: donderdag 29 maart 2001 10:12
> > To: BUGTRAQ@SECURITYFOCUS.COM
> > Subject: Tomcat may reveal script source code by URL trickery
> >
> >
> > Tomcat may reveal script source code by URL trickery
> > ----------------------------------------------------
> >
> > Sverre H. Huseby advisory 2001-03-29
> >
> >
> >
> > Systems affected
> > ----------------
> >
> > Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> > tested.  Other versions may be vulnerable too.  The problem is only
> > present when using Tomcat's built in web server, not when using Tomcat
> > with Apache Web Server.
> >
> >
> > Description
> > -----------
> >
> > Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> > Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> > Technologies, may be tricked into revealing the source code of JSP
> > scripts by using simple URL encoding.
> >
> >
> > Details
> > -------
> >
> > It seems that the built in web server in Tomcat does URL decoding in
> > an unreasonable order.  URLs like the following
> >
> >   http://XXX:8080/examples/jsp/num/numguess.js%70
> >
> > where %70 is an URL encoded 'p', returns the source code of index.jsp
> > rather than running the script on the server side.
> >
> > To speculate: The JSP handler is skipped as this URL does not end in
> > ".jsp", but the static file handler is nevertheless able to map the
> > URL into a correct file name.
> >
> >
> > Impact
> > ------
> >
> > This design error makes it possible to fetch the source code of JSP
> > scripts.  Such source code may contain database passwords and file
> > names, and may reveal design errors or programming bugs that make it
> > possible to further exploit the server or service.
> >
> >
> >
> > Reported by Sverre H. Huseby, shh@thathost.com
> >
> > --
> > <UR...@thathost.com>
> > <URL:http://shh.thathost.com/>
> >
> >

Re: FW: Tomcat may reveal script source code by URL trickery

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Fri, 30 Mar 2001, Renzo Toma wrote:

> 
> Just in case you missed it.
> 

I'm working on this ... (compiling as I type).

Craig


> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Sverre
> H. Huseby
> Sent: donderdag 29 maart 2001 10:12
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Tomcat may reveal script source code by URL trickery
> 
> 
> Tomcat may reveal script source code by URL trickery
> ----------------------------------------------------
> 
> Sverre H. Huseby advisory 2001-03-29
> 
> 
> 
> Systems affected
> ----------------
> 
> Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> tested.  Other versions may be vulnerable too.  The problem is only
> present when using Tomcat's built in web server, not when using Tomcat
> with Apache Web Server.
> 
> 
> Description
> -----------
> 
> Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> Technologies, may be tricked into revealing the source code of JSP
> scripts by using simple URL encoding.
> 
> 
> Details
> -------
> 
> It seems that the built in web server in Tomcat does URL decoding in
> an unreasonable order.  URLs like the following
> 
>   http://XXX:8080/examples/jsp/num/numguess.js%70
> 
> where %70 is an URL encoded 'p', returns the source code of index.jsp
> rather than running the script on the server side.
> 
> To speculate: The JSP handler is skipped as this URL does not end in
> ".jsp", but the static file handler is nevertheless able to map the
> URL into a correct file name.
> 
> 
> Impact
> ------
> 
> This design error makes it possible to fetch the source code of JSP
> scripts.  Such source code may contain database passwords and file
> names, and may reveal design errors or programming bugs that make it
> possible to further exploit the server or service.
> 
> 
> 
> Reported by Sverre H. Huseby, shh@thathost.com
> 
> --
> <UR...@thathost.com>
> <URL:http://shh.thathost.com/>
> 
>