You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/10/13 08:57:01 UTC

DO NOT REPLY [Bug 13578] New: - Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11 releases

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13578>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13578

Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11 releases

           Summary: Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11
                    releases
           Product: Tomcat 4
           Version: 4.1.11
          Platform: All
               URL: http://www.ultranet.tv
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Catalina:Modules
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: sabiq@purdue.edu


Guys, you have offered a solution for 4.0.5, and ONLY IMPLICITLY for 4.1.12 
for the jsp disclosure bug: downloading a new web.xml file. We had to 
unsuccessfully try re-installing the server before we found out that the 
solution doesn't really require that.

Millions of people running other 4.x versions (exluding 4.0.6) have only 2 
choices:
1) disable all non-custom-named servlets
2) upgrade the server immediately

Well, we couldn't upgrade just like that. We have some changes that need to be 
made first (or perhaps there is another Unicode-related bug in 4.1.12).

I suggest 2 solutions here, and very much hope that you list these as an 
option for non-4.0.5-4.0.6-4.1.12 users:
A.
1) download servlets-invoker.jar from 4.1.12 installation (will be attached at 
a later message marked A.) (or equivalent) into $CATALINA_HOME/server/lib/.

2) download http://jakarta.apache.org/builds/jakarta-tomcat-
4.0/release/v4.0.5/bin/hotfix/13365.zip, unzip it, and put web.xml (will be 
attached at a later message marked A.) into 
$CATALINA_HOME/conf

This solution has none of my code. Although it did take a while to figure 
things out. Totally trustworthy. It generates 404 error (Not Found) for all 
hacking requests.

B. 
1) Putting web.xml modified by me that will be attached in later message 
marked B. (or equivalent) into $CATALINA_HOME/conf/ folder. The only changes i 
made to web.xml are:
...
<servlet>
    <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
    </init-param>
    <init-param>
      <param-name>listings</param-name>
      <param-value>true</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
<!-- Name a dummy servlet, so that hacking requests can be forwarded to it -->
  <servlet>
    <servlet-name>AntiHacker</servlet-name>
    <servlet-class>rs.security.SourceDisclosure</servlet-class>
  </servlet>
...
<!-- Send hacking requests to this servlet and thus prevent source disclosure -
->
  <servlet-mapping>
    <servlet-name>AntiHacker</servlet-name>
    <url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-
pattern>
  </servlet-mapping>

2) Optional: Putting SourceDisclosure.class will be attached in later message 
marked B. (or equivalent) into WEB-INF/classes/rs/security/ folder of each 
application. It has to be rs/security/ because that's how I compiled it. 
Equivalents can be made differently. It is optional: if it's not there in an 
application, then no source will be shown, but instead a 503 (Service 
Unavailable) error message will pop up, which makes no harm to the server, and 
prevents the hacking. The class does nothing but printing " All right, now we 
can report the IP address of the criminal who's been hacking Java servers all 
over the Internet to the Interpol:  127.0.0.1" :)

Btw, it would very useful if the simplicity of such solution(s) was expressed 
on a seeable place in Tomcat pages. It took quite a few hours to figure these 
things out.

Thanks,
r

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>