You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by RoMaN SoFt / LLFB !! <ro...@madrid.com> on 2001/08/21 14:39:33 UTC
Security issues with Tomcat 3.2.x
Hi.
I'm using Jakarta Tomcat 3.2.2 with Apache 1.3.20 / mod_jk (Linux)
and I have some security-related questions:
1) I've read 3.2.3 is the latest available version for 3.2.x branch
and that it covers a security issue. What's about this security issue
and where could I read more about this issue? Could it be the
"2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability"
(http://www.securityfocus.com/vdb/bottom.html?vid=2982)?
2) Is there any patch or is it planned a future release to cover the
"2001-08-16: Jakarta Tomcat 3.2.1 Error Message Information Disclosure
Vulnerability" issue?
(http://www.securityfocus.com/vdb/bottom.html?vid=3199)
3) The following is a security issue I'm experiencing. It may be a
configuration error made by myself or perhaps some bug? I need some
help. Let's suppose you have a working .jsp page:
http://www.foo.com/bar/home.jsp. Then if you use the following url the
.jsp source is showed instead of beeing executed by Tomcat:
http://www.foo.com/\bar/home.jsp. This is the way I'm using to mount
the context (excerpt from mod_jk.conf file):
Alias /bar /usr/local/tomcat/webapps/bar
JkMount /bar/*.jsp ajp13
JkMount /bar/*.xml ajp13
JkMount /bar/servlet/* ajp13
<Location /bar/WEB-INF/ >
AllowOverride None
deny from all
</Location>
<Location "/bar/META-INF/">
AllowOverride None
deny from all
</Location>
Am I missing something or the \ trick is a bug? Any workaround?
Thanks in advance!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
** RoMaN SoFt / LLFB **
roman@madrid.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: Security issues with Tomcat 3.2.x
Posted by RoMaN SoFt / LLFB !! <ro...@madrid.com>.
On Wed, 22 Aug 2001 09:41:04 -0500, you wrote:
>JkMount /*.jsp ajp13
Yes, this solves my problem. But I think this issue should be
documented. I remember having read about this command for telling
Apache to forward *all* .jsp pages to Tomcat, but I haven't seen any
advice for preventing the "//" source view problem described. Normally
people will think that if he/she has his/her jsp's on "foo" directory
it is sufficient with something like "JkMount /foo/*.jsp ajp13". The
"//" is tricky...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
** RoMaN SoFt / LLFB **
roman@madrid.com
http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: Security issues with Tomcat 3.2.x
Posted by RoMaN SoFt / LLFB !! <ro...@madrid.com>.
On Tue, 21 Aug 2001 09:47:33 -0500, you wrote:
>The problem is that Apache is serving the file and not forwarding the
>request to Tomcat. Tomcat would *not* return the JSP contents for this URL,
>it would return a 404 error.
Yes, it could be but...
>I've heard this same problem from another user who is also using Apache
>1.3.20. I can't duplicate the problem using Apache 1.3.19 so maybe
>something changed in the latest version of Apache.
Are you using mod_jserv instead of mod_jk? I have another server with
similar Apache setup (and same version: 1.3.20) but using mod_jserv
(instead of mod_jk). This time the bug couldn't be reproduced. I also
noticed that Apache/Tomcat changes URL replacing the \ char by a /. I
mean, if I enter "http://www.foo.com/\bar/home.jsp" on browser then it
is automatically changed to "http://www.foo.com//bar/home.jsp" and 404
error is returned.
Who is doing such replacement? Apache or Tomcat? Perhaps it could be
the trace that confirms who is serving the .jsp source.
Some data:
This is the mod_jserv machine (apparently not vulnerable):
Server version: Apache/1.3.20 (Unix)
Server built: Jul 4 2001 19:52:43
Server's Module Magic Number: 19990320:10
Server compiled with....
-D EAPI
-D HAVE_MMAP
-D HAVE_SHMGET
-D USE_SHMGET_SCOREBOARD
-D USE_MMAP_FILES
-D USE_SYSVSEM_SERIALIZED_ACCEPT
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D HTTPD_ROOT="/usr/local/apacheJSP"
-D SUEXEC_BIN="/usr/local/apacheJSP/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
-D DEFAULT_LOCKFILE="logs/httpd.lock"
-D DEFAULT_XFERLOG="logs/access_log"
-D DEFAULT_ERRORLOG="logs/error_log"
-D TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
-D ACCESS_CONFIG_FILE="conf/access.conf"
-D RESOURCE_CONFIG_FILE="conf/srm.conf"
This is the mod_jk machine (*vulnerable*):
Server version: Apache/1.3.20 (Unix)
Server built: Jul 10 2001 18:04:44
Server's Module Magic Number: 19990320:10
Server compiled with....
-D EAPI
-D HAVE_MMAP
-D HAVE_SHMGET
-D USE_SHMGET_SCOREBOARD
-D USE_MMAP_FILES
-D USE_SYSVSEM_SERIALIZED_ACCEPT
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D HTTPD_ROOT="/usr/local/apache"
-D SUEXEC_BIN="/usr/local/apache/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
-D DEFAULT_LOCKFILE="logs/httpd.lock"
-D DEFAULT_XFERLOG="logs/access_log"
-D DEFAULT_ERRORLOG="logs/error_log"
-D TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
-D ACCESS_CONFIG_FILE="conf/access.conf"
-D RESOURCE_CONFIG_FILE="conf/srm.conf"
>I'd go back to Apache 1.3.19 and see if that fixes the problem. Another
>solution is to add the following line to your mod_jk.conf file
>
>JkMount /bar/* ajp13
This doesn't solve the problem because the \ trick is performed
before /bar. Since I'm requesting bar.jsp, it would equally match
/bar/*.jsp as well as /bar/*.
Any ideas? TIA
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
** RoMaN SoFt / LLFB **
roman@madrid.com
http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RE: Security issues with Tomcat 3.2.x
Posted by Marc Saegesser <ma...@apropos.com>.
The problem is that Apache is serving the file and not forwarding the
request to Tomcat. Tomcat would *not* return the JSP contents for this URL,
it would return a 404 error.
I've heard this same problem from another user who is also using Apache
1.3.20. I can't duplicate the problem using Apache 1.3.19 so maybe
something changed in the latest version of Apache.
I'd go back to Apache 1.3.19 and see if that fixes the problem. Another
solution is to add the following line to your mod_jk.conf file
JkMount /bar/* ajp13
This will send requests for *all* resources in your webapp to Tomcat. Yes,
it may degrade performance a little bit, but it makes certain that Tomcat
remains in complete control over the security of *all* resources inside the
webapp. A lot of effort has gone into preventing protected webapp resources
from being served by Tomcat. If you open things up to an outside party then
you have to make sure that party obeys all the same rules.
Marc Saegesser
> -----Original Message-----
> From: RoMaN SoFt / LLFB !! [mailto:roman@madrid.com]
> Sent: Tuesday, August 21, 2001 7:40 AM
> To: tomcat-dev@jakarta.apache.org
> Subject: Security issues with Tomcat 3.2.x
>
>
>
> Hi.
>
> I'm using Jakarta Tomcat 3.2.2 with Apache 1.3.20 / mod_jk (Linux)
> and I have some security-related questions:
>
> 1) I've read 3.2.3 is the latest available version for 3.2.x branch
> and that it covers a security issue. What's about this security issue
> and where could I read more about this issue? Could it be the
> "2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability"
> (http://www.securityfocus.com/vdb/bottom.html?vid=2982)?
>
> 2) Is there any patch or is it planned a future release to cover the
> "2001-08-16: Jakarta Tomcat 3.2.1 Error Message Information Disclosure
> Vulnerability" issue?
> (http://www.securityfocus.com/vdb/bottom.html?vid=3199)
>
> 3) The following is a security issue I'm experiencing. It may be a
> configuration error made by myself or perhaps some bug? I need some
> help. Let's suppose you have a working .jsp page:
> http://www.foo.com/bar/home.jsp. Then if you use the following url the
> .jsp source is showed instead of beeing executed by Tomcat:
> http://www.foo.com/\bar/home.jsp. This is the way I'm using to mount
> the context (excerpt from mod_jk.conf file):
>
> Alias /bar /usr/local/tomcat/webapps/bar
>
> JkMount /bar/*.jsp ajp13
> JkMount /bar/*.xml ajp13
> JkMount /bar/servlet/* ajp13
>
> <Location /bar/WEB-INF/ >
> AllowOverride None
> deny from all
> </Location>
>
> <Location "/bar/META-INF/">
> AllowOverride None
> deny from all
> </Location>
>
> Am I missing something or the \ trick is a bug? Any workaround?
>
> Thanks in advance!
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> ** RoMaN SoFt / LLFB **
> roman@madrid.com
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~