You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Greg Wilkins <gr...@mortbay.com> on 2000/11/30 23:21:29 UTC
Web application security problem on windows
Web applications running on Windows (or other systems with non case
sensitive file systems) can have secure content accessed by
using different case. The problem is a design problem for
security-constraints and an implementation problem for WEB-INF
For example I have been able to access /WeB-iNf/web.xml on several
public servers running tomcat/catalina on NT. The current release
of Jetty3 also is vulnerable and probably most other servlet
containers.
As URLs are case sensitive, the security constraints are bypassed
by the different case request. However, once these requests are
converted to real filenames or file URLs, the JVM is able to
provide a file for them.
The impact of this can be significant, as it allows unauthorized access
to WEB-INF/web.xml. Furthermore any code in WEB-INF/classes or
WEB-INF/lib may be accessed and decompiled and inspected for other
vulnerabilities.
Also vulnerable are any servlets written using getResource or
getRealPath APIs that pass/use pathInfo. If these servlets are
protected by a security constraint including alpha numeric
characters, then they are vulnerable.
For example, a security constraint of /secret/* will not
protect a JSP like /secret/private.jsp. As a request to
/SeCrEt/private.jsp will correctly bypass the security
constraint, while the JspServlet at *.jsp will be able to find a
matching jsp source file using getRealPath and/or getResource.
Which will be compiled and a result returned. Note that
both the security constraint and the JSP servlet are acting
correctly for their given path specifications.
NB. I have verified that jasper (3.1) is vulnerable to this attack.
A general fix will be difficult to find, as many servlets use
getRealPath and their own file handling. Furthermore, the
real case of a file cannot be determined easily (getCanonicalPath
does not return the actual file's case on at least one popular
JVM (sun JDK1.2.2 on linux accessing a remote NT file system).
Thus a general check for case matching cannot be made.
I am currently of the opinion that design changes are needed in
the security-constraint mechanism to at least allow case
insensitive url-patterns to be used.
A better solution would be to specify the behaviour of multiple
security constraints, plus allow relaxing constraints.
This may even be possible within the current web.dtd?
If the most specific security constraint takes precedent (as it
probably does), then a reasonable solution can be reached by
placing a restrictive constraint on / and then defining less
restrictive constraints on more specific paths. This may be
a valid interpretation of the current specification, but if
so, it needs to be clarified.
Note that protection of the WEB-INF directory is separate
to considerations of user defined security constraints, other
than it probably shares a common implementation. WEB-INF should be
protected from case base access regardless of any action taken on
security constraints.
A final point is that this may show that it may not have
been a good idea to place WEB-INF and all it's content
within the document root. Perhaps an alternate web application
directory layout can be considered with a document root as
a sibling or child rather than a parent of WEB-INF.
eg. if WEB-INF/docroot exists, then it becomes the
document root.
regards
PS. sorry if this has been raised before in these forums, but
my searches could not find anything
--
Greg Wilkins<gr...@mortbay.com> GB Phone: +44-(0)2074394045
Mort Bay Consulting Australia and UK. Mbl Phone: +44-(0)7775534369
http://www.mortbay.com AU Phone: +61-(0)2 99772395
Re: Web application security problem on windows
Posted by se...@eng.sun.com.
Thank you for your feedback on the Servlet API. Your feedback will be
read by an engineer on the Java Servlet API Team and given serious
consideration. We will contact you directly if we have further
questions about your feedback.
----------------------------------------------------------------------
We do not perform sales or technical support from this address. This
is worth repeating: you will not receive any additional mail, unless
we have questions on your feedback. Please contact one of our other
support channels (below) if you require support.
To place a bug report directly into our database, you may enter your
bug here: http://java.sun.com/cgi-bin/bugreport.cgi
For licensing, sales and schedule information, please contact
1-888-THEJAVA. If outside the US, please dial 1-(512)434-1591
----------------------------------------------------------------------
For more discussion of the servlet API please consider joining the
servlet-interest mailing list.
You may subscribe to the mailing list by sending an email to:
LISTSERV@JAVASOFT.COM
with the _body_ of the message containing the line
SUBSCRIBE SERVLET-INTEREST Full-Name-Here
where Full-Name-Here is your name.
Discussions of programming Java Servlets, and server side Java
programming in general, are carried out on the Usenet newsgroup
comp.lang.java.programmer.
----------------------------------------------------------------------
Thank you for your time and input.
The Servlet API Team