You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Paul Sundling(\"Webdaddy\")" <tk...@tkz.net> on 2003/08/10 06:00:49 UTC
security hole on windows tomcat?
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
http://192.168.1.54:8080/index.jsp <shows page as expected>
http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
So how widespread is this?
Paul Sundling
Re: security hole on windows tomcat?
Posted by Mikko Hämäläinen <mi...@hotmail.com>.
Hi,
I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that
with Tomcat 4.0.1 on Redhat and it was ok too..
----- Original Message -----
From: "Paul Sundling("Webdaddy")" <tk...@tkz.net>
To: <to...@jakarta.apache.org>
Sent: Sunday, August 10, 2003 7:00 AM
Subject: security hole on windows tomcat?
> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp <shows page as expected>
> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>
> So how widespread is this?
>
> Paul Sundling
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Re: security hole on windows tomcat?
Posted by Kwok Peng Tuck <pe...@makmal.net>.
Can't replicate your problem, tried both linux and win2k
Version of tomcat is the same as yours.
Paul Sundling("Webdaddy") wrote:
> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp <shows page as expected>
> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>
> So how widespread is this?
>
> Paul Sundling
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
Re: security hole on windows tomcat?
Posted by Mikko Hämäläinen <mi...@hotmail.com>.
Hi,
I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that
with Tomcat 4.0.1 on Redhat and it was ok too..
----- Original Message -----
From: "Paul Sundling("Webdaddy")" <tk...@tkz.net>
To: <to...@jakarta.apache.org>
Sent: Sunday, August 10, 2003 7:00 AM
Subject: security hole on windows tomcat?
> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp <shows page as expected>
> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>
> So how widespread is this?
>
> Paul Sundling
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: security hole on windows tomcat?
Posted by John Turner <to...@johnturner.com>.
sorry, that should be http://localhost:8080/john/test.jsp%20 = 404
No Apache is involved.
John
John Turner wrote:
>
> Red Hat Linux.
>
> I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
> minutes ago, .exe install, installed as service).
>
> http://localhost/john/test.jsp%20 = 404
>
> John
>
> Paul Sundling wrote:
>
>> which operating system?
>>
>> Paul
>>
>> John Turner wrote:
>>
>>>
>>> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>>>
>>> John
>>>
>>> Paul Sundling("Webdaddy") wrote:
>>>
>>>> I came across what appears to be a security hole when running
>>>> tomcat. I'm not sure how widespread it is, but my linux server is
>>>> safe, yet my windows XP, tomcat 4.1.24 is vulnerable.
>>>>
>>>> I found that if you append %20 to a jsp page it shows the source
>>>> code instead of displaying the page:
>>>>
>>>> http://192.168.1.54:8080/index.jsp <shows page as expected>
>>>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>>>>
>>>> So how widespread is this?
>>>>
>>>> Paul Sundling
>>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: security hole on windows tomcat?
Posted by John Turner <to...@johnturner.com>.
sorry, that should be http://localhost:8080/john/test.jsp%20 = 404
No Apache is involved.
John
John Turner wrote:
>
> Red Hat Linux.
>
> I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
> minutes ago, .exe install, installed as service).
>
> http://localhost/john/test.jsp%20 = 404
>
> John
>
> Paul Sundling wrote:
>
>> which operating system?
>>
>> Paul
>>
>> John Turner wrote:
>>
>>>
>>> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>>>
>>> John
>>>
>>> Paul Sundling("Webdaddy") wrote:
>>>
>>>> I came across what appears to be a security hole when running
>>>> tomcat. I'm not sure how widespread it is, but my linux server is
>>>> safe, yet my windows XP, tomcat 4.1.24 is vulnerable.
>>>>
>>>> I found that if you append %20 to a jsp page it shows the source
>>>> code instead of displaying the page:
>>>>
>>>> http://192.168.1.54:8080/index.jsp <shows page as expected>
>>>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>>>>
>>>> So how widespread is this?
>>>>
>>>> Paul Sundling
>>>>
Re: security hole on windows tomcat?
Posted by John Turner <to...@johnturner.com>.
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
> which operating system?
>
> Paul
>
> John Turner wrote:
>
>>
>> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>>
>> John
>>
>> Paul Sundling("Webdaddy") wrote:
>>
>>> I came across what appears to be a security hole when running tomcat.
>>> I'm not sure how widespread it is, but my linux server is safe, yet
>>> my windows XP, tomcat 4.1.24 is vulnerable.
>>>
>>> I found that if you append %20 to a jsp page it shows the source code
>>> instead of displaying the page:
>>>
>>> http://192.168.1.54:8080/index.jsp <shows page as expected>
>>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>>>
>>> So how widespread is this?
>>>
>>> Paul Sundling
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Re: security hole on windows tomcat?
Posted by John Turner <to...@johnturner.com>.
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
> which operating system?
>
> Paul
>
> John Turner wrote:
>
>>
>> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>>
>> John
>>
>> Paul Sundling("Webdaddy") wrote:
>>
>>> I came across what appears to be a security hole when running tomcat.
>>> I'm not sure how widespread it is, but my linux server is safe, yet
>>> my windows XP, tomcat 4.1.24 is vulnerable.
>>>
>>> I found that if you append %20 to a jsp page it shows the source code
>>> instead of displaying the page:
>>>
>>> http://192.168.1.54:8080/index.jsp <shows page as expected>
>>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>>>
>>> So how widespread is this?
>>>
>>> Paul Sundling
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: security hole on windows tomcat?
Posted by Paul Sundling <sp...@tkz.net>.
which operating system?
Paul
John Turner wrote:
>
> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>
> John
>
> Paul Sundling("Webdaddy") wrote:
>
>> I came across what appears to be a security hole when running tomcat.
>> I'm not sure how widespread it is, but my linux server is safe, yet
>> my windows XP, tomcat 4.1.24 is vulnerable.
>>
>> I found that if you append %20 to a jsp page it shows the source code
>> instead of displaying the page:
>>
>> http://192.168.1.54:8080/index.jsp <shows page as expected>
>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>>
>> So how widespread is this?
>>
>> Paul Sundling
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Re: security hole on windows tomcat?
Posted by Paul Sundling <sp...@tkz.net>.
which operating system?
Paul
John Turner wrote:
>
> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>
> John
>
> Paul Sundling("Webdaddy") wrote:
>
>> I came across what appears to be a security hole when running tomcat.
>> I'm not sure how widespread it is, but my linux server is safe, yet
>> my windows XP, tomcat 4.1.24 is vulnerable.
>>
>> I found that if you append %20 to a jsp page it shows the source code
>> instead of displaying the page:
>>
>> http://192.168.1.54:8080/index.jsp <shows page as expected>
>> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>>
>> So how widespread is this?
>>
>> Paul Sundling
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: security hole on windows tomcat?
Posted by John Turner <to...@johnturner.com>.
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp <shows page as expected>
> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>
> So how widespread is this?
>
> Paul Sundling
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: security hole on windows tomcat?
Posted by Kwok Peng Tuck <pe...@makmal.net>.
Can't replicate your problem, tried both linux and win2k
Version of tomcat is the same as yours.
Paul Sundling("Webdaddy") wrote:
> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp <shows page as expected>
> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>
> So how widespread is this?
>
> Paul Sundling
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: security hole on windows tomcat?
Posted by John Turner <to...@johnturner.com>.
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp <shows page as expected>
> http://192.168.1.54:8080/index.jsp%20 <shows source code of index.jsp>
>
> So how widespread is this?
>
> Paul Sundling
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>