You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Peter Thomas <pe...@securitywatch.com> on 2001/04/02 11:37:36 UTC
[Fwd: Re: CHINANSL Security Advisory(CSA-200108)]
Dear Apache,
Further to these postings on Bugtraq, could you confirm whether this
directory traversal vulnerability has indeed been fixed in the latest
versions of TomCat.
Kindest regards,
Peter Thomas - Editor - http://www.securitywatch.com
tel +32 (0)16 28 73 14 - fax +32 (0)16 28 7288
Grensstraat 1b - B-3010 Leuven - Belgium
*E-security rule #1: ignorance is never a defense*
-------- Original Message --------
From: jon@LATCHKEY.COM (Jon Stevens)
Subject: Re: CHINANSL Security Advisory(CSA-200108)
Newsgroups: lists.bugtraq
on 3/30/01 11:26 PM, "lovehacker" <lo...@263.NET> wrote:
> Topic:
> Tomcat 3.2.1 for win2000 Directory traversal
> Vulnerability
>
> vulnerable:
> Tomcat 3.2.1 for win2000
> maybe for other operating system also.
>
> discussion:
> A security vulnerability has been found in Windows
> NT/2000 systems that have Tomcat 3.2.1
> installed.The
> vulnerability allows remote attackers to access files
> outside the document root directory scope.
>
> exploits:
> http://target:8080/%2e%2e/%2e%2e/%00.jsp
> It is possible to cause the Tomcat server to Listing
> outside the document root directory scope.
>
> solution:
> None
>
> Copyright 2000-2001 CHINANSL. All Rights
> Reserved. Terms of use.
>
> CHINANSL Security Team
> <lo...@chinansl.com>
> CHINANSL INFORMATION TECHNOLOGY CO.,LTD
> (http://www.chinansl.com)
What is with this Copyright stuff?
#1. Please report security issues to security@apache.org and/or
tomcat-dev@jakarta.apache.org first. It seems like that is a common
courtesy.
#2. Please test against the latest Tomcat 4.0 which is 4.0b2. I believe
that
this has already been fixed.
p.s. Your lovehacker@263.net email address bounces.
-jon
RE: TC3.2.x and security problems
Posted by Marc Saegesser <ma...@apropos.com>.
I figured out the difference that's causing the URL to be decoded twice. It
seems that as of JDK1.3.0 URLs using the file: scheme are now decoded like
http: scheme URLs. For example file:c:\temp\%2e%2e\fubar.txt are
interpreted as file:c:\temp\..\fubar.txt. In JDK1.2.2 this would have
generated a FileNotFoundException.
I think this is a bug, file URLs should not be URL decoded. We'll see if
Sun agrees, but in the mean time I'll handle this in Tomcat to prevent file
contents from being exposed.
> -----Original Message-----
> From: Marc Saegesser [mailto:marc.saegesser@apropos.com]
> Sent: Thursday, April 05, 2001 10:05 AM
> To: tomcat-dev@jakarta.apache.org
> Subject: RE: TC3.2.x and security problems
>
>
> Here's an update. I've installed JDK1.3.0 and JDK1.3.1-beta and
> tested the
> following URLs.
>
> All the tests were run on Win2000 using Tomcat 3.2.2b2. The only
> difference
> between these runs was the value of the JAVA_HOME environment variable.
>
> The security problems I could duplicate *only* occurred when
> using JDK1.3.x.
> They *never* happened with JDK1.2.2. I was able to duplicate problems
> (directory listing and file contents) for URLs using sequences of
> /%252e%252e to 'escape' from the web application directory. None of the
> /%2e%2e attacks worked.
>
> I would appreciate it if others could try these URLs on other platforms to
> see if their results vary. I'm going to investigate the JDK1.3 issues on
> Win2000.
>
> GET /examples/jsp/num/numguess.jsp%00
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%252e%252e/%252e%252e/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> Directory listing
> JDK1.3.1 --> Directory listing
>
> GET /examples/jsp/num/numguess.js%2570
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%2e%2e/%2e%2e/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%2e%2e/%2e%2e%5cLICENSE/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%252e%252e/%252e%252e%5cLICENSE/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> File contents
> JDK1.3.1 --> File contents
>
RE: TC3.2.x and security problems
Posted by Marc Saegesser <ma...@apropos.com>.
Here's an update. I've installed JDK1.3.0 and JDK1.3.1-beta and tested the
following URLs.
All the tests were run on Win2000 using Tomcat 3.2.2b2. The only difference
between these runs was the value of the JAVA_HOME environment variable.
The security problems I could duplicate *only* occurred when using JDK1.3.x.
They *never* happened with JDK1.2.2. I was able to duplicate problems
(directory listing and file contents) for URLs using sequences of
/%252e%252e to 'escape' from the web application directory. None of the
/%2e%2e attacks worked.
I would appreciate it if others could try these URLs on other platforms to
see if their results vary. I'm going to investigate the JDK1.3 issues on
Win2000.
GET /examples/jsp/num/numguess.jsp%00
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%252e%252e/%252e%252e/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> Directory listing
JDK1.3.1 --> Directory listing
GET /examples/jsp/num/numguess.js%2570
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%2e%2e/%2e%2e/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%2e%2e/%2e%2e%5cLICENSE/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> 404
JDK1.3.1 --> 404
GET /%252e%252e/%252e%252e%5cLICENSE/%00.jsp
JDK1.2.2 --> 404
JDK1.3.0 --> File contents
JDK1.3.1 --> File contents
RE: TC3.2.x and security problems
Posted by Marc Saegesser <ma...@apropos.com>.
OK, I just tried this again (my results included inline) and in all cases I
get a 404 error. I'm using Win2000 and JDK1.2.2. I'll try testing with
JDK1.3 on Win2000 tomorrow and see if the problem follows the JDK version of
the operating system.
> -----Original Message-----
> From: Stephan Seyboth [mailto:sps@caldera.de]
> Sent: Wednesday, April 04, 2001 9:08 AM
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: TC3.2.x and security problems
>
[...]
>
> $ telnet localhost 8080
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /examples/jsp/num/numguess.jsp
> HTTP/1.0 200 OK
> Content-Type: text/plain
> Content-Length: 1237
> Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT
> Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
> Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
>
> [numguess.jsp source follows]
This one has been fixed in 3.2.2.
>
> $ telnet localhost 8180
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /examples/jsp/num/numguess.jsp%00
> HTTP/1.0 200 OK
> Content-Type: text/plain
> Content-Length: 1237
> Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT
> Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
> Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
>
> [numguess.jsp source follows]
My results on Win2000 with JDK1.2.2
GET /examples/jsp/num/numguess.jsp%00
HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 213
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java
1.2.2
; Windows NT 5.0 x86; java.vendor=Sun Microsystems Inc.)
<head><title>Not Found (404)</title></head>
<body><h1>Not Found (404)</h1>
<b>Original request:</b> /examples/jsp/num/numguess.jsp%00<br><br>
<b>Not found request:</b> /examples/jsp/num/numguess.jsp%00</body>
>
> $ telnet localhost 8180
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /%252e%252e/%252e%252e/%00.jsp
>
> HTTP/1.0 200 OK
> Content-Type: text/html;charset=ISO-8859-1
> Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
> Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
>
> [directory listing follows]
My results on Win2000 with JDK1.2.2.
GET /%252e%252e/%252e%252e/%00.jsp
HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 207
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java
1.2.2
; Windows NT 5.0 x86; java.vendor=Sun Microsystems Inc.)
<head><title>Not Found (404)</title></head>
<body><h1>Not Found (404)</h1>
<b>Original request:</b> /%252e%252e/%252e%252e/%00.jsp<br><br>
<b>Not found request:</b> /%252e%252e/%252e%252e/%00.jsp</body>
I don't have JDK 1.3 on this machine so I'll have to wait until tomorrow to
see if the problem behavior follows the JDK version or the operating system.
Re: TC3.2.x and security problems
Posted by Stephan Seyboth <sp...@caldera.de>.
On Wed, Apr 04, 2001 at 08:35:11AM -0500, Marc Saegesser wrote:
> Has anyone on tomcat-dev been able to reproduce these problems using Tomcat
> 3.2.x? I've been trying to reproduce the error using 3.2.1, 3.2.2b2 and
> even 3.1.1. So far I always get a 404. I've never been able to get
> directory listing or JSP source.
[...]
> > > exploits:
> > > http://target:8080/%2e%2e/%2e%2e/%00.jsp
> > > It is possible to cause the Tomcat server to Listing
> > > outside the document root directory scope.
I can't reproduce that one, but could verify the following problems
on Linux:
$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
[numguess.jsp source follows]
$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp%00
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
[numguess.jsp source follows]
$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /%252e%252e/%252e%252e/%00.jsp
HTTP/1.0 200 OK
Content-Type: text/html;charset=ISO-8859-1
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
[directory listing follows]
--
Stephan Seyboth - Developer
Caldera (Deutschland) GmbH
http://www.caldera.de/
TC3.2.x and security problems
Posted by Marc Saegesser <ma...@apropos.com>.
Has anyone on tomcat-dev been able to reproduce these problems using Tomcat
3.2.x? I've been trying to reproduce the error using 3.2.1, 3.2.2b2 and
even 3.1.1. So far I always get a 404. I've never been able to get
directory listing or JSP source.
The beta 2 time period is just about over. With the exception of this
reported security problem, no critical bugs have been found during this beta
cycle. I plan to call the final release vote soon, but I want to make sure
this securiy problem isn't real before I do that.
> -------- Original Message --------
> From: jon@LATCHKEY.COM (Jon Stevens)
> Subject: Re: CHINANSL Security Advisory(CSA-200108)
> Newsgroups: lists.bugtraq
>
> on 3/30/01 11:26 PM, "lovehacker" <lo...@263.NET> wrote:
>
> > Topic:
> > Tomcat 3.2.1 for win2000 Directory traversal
> > Vulnerability
> >
> > vulnerable:
> > Tomcat 3.2.1 for win2000
> > maybe for other operating system also.
> >
> > discussion:
> > A security vulnerability has been found in Windows
> > NT/2000 systems that have Tomcat 3.2.1
> > installed.The
> > vulnerability allows remote attackers to access files
> > outside the document root directory scope.
> >
> > exploits:
> > http://target:8080/%2e%2e/%2e%2e/%00.jsp
> > It is possible to cause the Tomcat server to Listing
> > outside the document root directory scope.
> >
> > solution:
> > None
> >
> > Copyright 2000-2001 CHINANSL. All Rights
> > Reserved. Terms of use.
> >
> > CHINANSL Security Team
> > <lo...@chinansl.com>
> > CHINANSL INFORMATION TECHNOLOGY CO.,LTD
> > (http://www.chinansl.com)
>
> What is with this Copyright stuff?
>
> #1. Please report security issues to security@apache.org and/or
> tomcat-dev@jakarta.apache.org first. It seems like that is a common
> courtesy.
>
> #2. Please test against the latest Tomcat 4.0 which is 4.0b2. I believe
> that
> this has already been fixed.
>
> p.s. Your lovehacker@263.net email address bounces.
>
> -jon