You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/10/13 08:57:01 UTC
DO NOT REPLY [Bug 13578] New: -
Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11 releases
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13578>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13578
Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11 releases
Summary: Fix for JSP disclosure bug for all 4.0-4.0.5, 4.1-4.1.11
releases
Product: Tomcat 4
Version: 4.1.11
Platform: All
URL: http://www.ultranet.tv
OS/Version: All
Status: NEW
Severity: Critical
Priority: Other
Component: Catalina:Modules
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: sabiq@purdue.edu
Guys, you have offered a solution for 4.0.5, and ONLY IMPLICITLY for 4.1.12
for the jsp disclosure bug: downloading a new web.xml file. We had to
unsuccessfully try re-installing the server before we found out that the
solution doesn't really require that.
Millions of people running other 4.x versions (exluding 4.0.6) have only 2
choices:
1) disable all non-custom-named servlets
2) upgrade the server immediately
Well, we couldn't upgrade just like that. We have some changes that need to be
made first (or perhaps there is another Unicode-related bug in 4.1.12).
I suggest 2 solutions here, and very much hope that you list these as an
option for non-4.0.5-4.0.6-4.1.12 users:
A.
1) download servlets-invoker.jar from 4.1.12 installation (will be attached at
a later message marked A.) (or equivalent) into $CATALINA_HOME/server/lib/.
2) download http://jakarta.apache.org/builds/jakarta-tomcat-
4.0/release/v4.0.5/bin/hotfix/13365.zip, unzip it, and put web.xml (will be
attached at a later message marked A.) into
$CATALINA_HOME/conf
This solution has none of my code. Although it did take a while to figure
things out. Totally trustworthy. It generates 404 error (Not Found) for all
hacking requests.
B.
1) Putting web.xml modified by me that will be attached in later message
marked B. (or equivalent) into $CATALINA_HOME/conf/ folder. The only changes i
made to web.xml are:
...
<servlet>
<servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Name a dummy servlet, so that hacking requests can be forwarded to it -->
<servlet>
<servlet-name>AntiHacker</servlet-name>
<servlet-class>rs.security.SourceDisclosure</servlet-class>
</servlet>
...
<!-- Send hacking requests to this servlet and thus prevent source disclosure -
->
<servlet-mapping>
<servlet-name>AntiHacker</servlet-name>
<url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-
pattern>
</servlet-mapping>
2) Optional: Putting SourceDisclosure.class will be attached in later message
marked B. (or equivalent) into WEB-INF/classes/rs/security/ folder of each
application. It has to be rs/security/ because that's how I compiled it.
Equivalents can be made differently. It is optional: if it's not there in an
application, then no source will be shown, but instead a 503 (Service
Unavailable) error message will pop up, which makes no harm to the server, and
prevents the hacking. The class does nothing but printing " All right, now we
can report the IP address of the criminal who's been hacking Java servers all
over the Internet to the Interpol: 127.0.0.1" :)
Btw, it would very useful if the simplicity of such solution(s) was expressed
on a seeable place in Tomcat pages. It took quite a few hours to figure these
things out.
Thanks,
r
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>