You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sameer Naik <sa...@yahoo.com> on 2008/04/16 07:51:50 UTC
Tomcat JSP source code disclosure
(Sorry if this message is posted multiple times. I posted same message couple of times before subscribing to the list, but not sure if it went through)
Hi,
Our Tomcat 5.0.28 running on RHEL (2.4.21-32.0.1.ELsmp) is showing source code of JSP if characters %c0%80 are appended to the URL. I could not find a fix for this behavior. I am playing around with caseSensitive and allowLinking directives but did not have any success. Any other clues?
Thanks,
Sameer
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Re: Tomcat JSP source code disclosure
Posted by Mark Thomas <ma...@apache.org>.
Christopher Schultz wrote:
> Mark,
>
> Mark Thomas wrote:
> | My best guess from
> | the limited information is that you are using httpd and mod_jk and your
> | configuration isn't secure.
>
> Agreed. You should always lock-down Apache httpd by prohibiting access
> to, say, "*.jsp" in your webapp directory /from httpd configuration/.
> Tomcat will protect *.jsp and anything under /WEB-INF/ and /META-INF/
> for you, but you can always use Apache http to avoid those protections.
Or better yet never, ever configure Tomcat and httpd to server content from
the same file system location. If you *really* know what you are doing you
can do it securely but most people get it wrong.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat JSP source code disclosure
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
Mark Thomas wrote:
| My best guess from
| the limited information is that you are using httpd and mod_jk and your
| configuration isn't secure.
Agreed. You should always lock-down Apache httpd by prohibiting access
to, say, "*.jsp" in your webapp directory /from httpd configuration/.
Tomcat will protect *.jsp and anything under /WEB-INF/ and /META-INF/
for you, but you can always use Apache http to avoid those protections.
Make sure you do something like:
<Directory "/path/to/webapps/mywebapp/META-INF">
~ Order deny,allow
~ Deny from all
</Directory>
<Directory "/path/to/webapps/mywebapp/WEB-INF">
~ Order deny,allow
~ Deny from all
</Directory>
<Directory "/path/to/webapps/mywebapp/">
~ <Files "*.jsp">
~ Order deny,allow
~ Deny from all
~ </Files>
~ ... any other files that should never be served by Apache httpd.
</Directory>
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgGRBgACgkQ9CaO5/Lv0PACRwCgrbyVqw6sa24SfDWTstFSZ3IW
NI4AoJ8TlxcqsLVOpdRFwS3bYn3OGHBN
=qrbK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat JSP source code disclosure
Posted by Mark Thomas <ma...@apache.org>.
Sameer Naik wrote:
> Our Tomcat 5.0.28 running on RHEL (2.4.21-32.0.1.ELsmp) is showing source code of JSP if characters %c0%80 are appended to the URL. I could not find a fix for this behavior. I am playing around with caseSensitive and allowLinking directives but did not have any success. Any other clues?
This doesn't happen for me with the latest source. My best guess from the
limited information is that you are using httpd and mod_jk and your
configuration isn't secure.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org