You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Stefán Freyr Stefánsson <st...@decode.is> on 2000/10/18 13:31:07 UTC

RE: Tomcat security issue - THIS IS SERIOUS !!!

I have not been able to reproduce this problem on 3.2b6.  But this is
actually what worries me the most...  Mr. Cheong Takhoe did this with a
version of Tomcat which I can't remember what is and mr. Craig R. McClanahan
was able to reproduce the problem on another version of Tomcat... this
worries me alot since I can't see that there is any guarantee that this will
not happen on my 3.2 b6 version of Tomcat (if I change some external factors
like the operating system, jdk version or something else).

Can any of the Tomcat developers answer the following question:
	Will this bug be throuroughly tested in the final version of 3.2 and will
there be a guarantee (or at least as close to a guarantee as you can
possibly give) that this won't happen?

I do realize that Tomcat is being developed in your spare time for most of
you... but it is being used all over the place in applications that can't
afford bugs like this.  At the same time I ask you this question I would
like to thank you guys for all your hard work on this... kudos to y'all,
just to keep it absolutely clear that there is not a trace of grudge in this
letter! ;o)


Kind regards, Stefan.

-----Original Message-----
From: Cheong Takhoe [mailto:Takhoe@apiit.edu.my]
Sent: 18. október 2000 10:20
To: 'tomcat-user@jakarta.apache.org'
Subject: RE: Tomcat security issue - THIS IS SERIOUS !!!


TADA.... : )

> -----Original Message-----
> From:	Lacerda, Wellington (AFIS) [SMTP:Wellington.Lacerda@fao.org]
> Sent:	Wednesday, October 18, 2000 4:31 PM
> To:	'tomcat-user@jakarta.apache.org'
> Subject:	RE: Tomcat security issue - THIS IS SERIOUS !!!
> Importance:	High
>
> I have tomcat under NT and it exposes the source code even when you call
> it
> as standalone server through :8080 !
> Is this affecting 3.2b6 also ?
>
> Wellington Silva
> UN/FAO
>
> 		-----Original Message-----
> 		From:	Richard Wooding [mailto:richard@camara.co.za]
> 		Sent:	Wednesday, October 18, 2000 10:24 AM
> 		To:	tomcat-user@jakarta.apache.org
> 		Subject:	Re: Tomcat security issue
>
> 		check your apache configuration
>
> 		----- Original Message -----
> 		From: "Cheong Takhoe" <Ta...@apiit.edu.my>
> 		To: <to...@jakarta.apache.org>
> 		Sent: Wednesday, October 18, 2000 7:34 AM
> 		Subject: Tomcat security issue
>
>
> 		Hi,
>
> 		I discovered that Tomcat has a security problem with regards
> to the way it
> 		works with the handlers.
>
> 		if you have a file x.jsp
> 		when you access it through the web browser,
> http://<hostname>/x.jsp\
> 		with the \ there,
>
> 		it opens up the source code....
> 		HMMMMMmmmm...
>
> 		I don't know whether this is similar on a non-NT platform.
> 		any ideas about this? solutions?
>
> 		regards,
> 		Cheong Takhoe

Re: Tomcat security issue - THIS IS SERIOUS !!!

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Stefán Freyr Stefánsson wrote:

> I have not been able to reproduce this problem on 3.2b6.  But this is
> actually what worries me the most...  Mr. Cheong Takhoe did this with a
> version of Tomcat which I can't remember what

The reason you cannot remember is that Mr. Takhoe did not tell us what version he
tested with.

This morning, he responded that the problem occurred with Tomcat 3.1.  If you are
concerned about this bug in your environment, you should upgrade to 3.2b6 or later.

> is and mr. Craig R. McClanahan
> was able to reproduce the problem on another version of Tomcat...

It was reproduced with Tomcat 4.0-m2, and has been fixed.  The fix will appear in the
upcoming milestone 3 release.

> this
> worries me alot since I can't see that there is any guarantee that this will
> not happen on my 3.2 b6 version of Tomcat (if I change some external factors
> like the operating system, jdk version or something else).
>

This bug turned out to have nothing to do with the platform or OS.  But we never know
that ahead of time -- that is why bug reports should *always* include this
information (plus the version of Tomcat, of course :-).

>
> Can any of the Tomcat developers answer the following question:
>         Will this bug be throuroughly tested in the final version of 3.2 and will
> there be a guarantee (or at least as close to a guarantee as you can
> possibly give) that this won't happen?
>

Tomcat 3.2b6 does *not* exhibit this problem.  It correctly throws a 404 (not found)
page if you add a "/" or a "\" character after the name of a JSP file.

>
> I do realize that Tomcat is being developed in your spare time for most of
> you... but it is being used all over the place in applications that can't
> afford bugs like this.  At the same time I ask you this question I would
> like to thank you guys for all your hard work on this... kudos to y'all,
> just to keep it absolutely clear that there is not a trace of grudge in this
> letter! ;o)
>

Not a problem.

>
> Kind regards, Stefan.
>

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat