RE: Security Hole - server.xml
No prob, good luck. -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:21 PM To: Tomcat Users List Subject: RE: Security Hole - server.xml thanks for your time Justin - I will look into this - T -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 18:17 To: Tomcat Users List Subject: RE: Security Hole - server.xml Well, right, but if you were to inherit from the realm that you wanted to use, you can manipulate the password field in any way that you wish. Unix password shadows are plantext, as are MD5 hashes. All you do now is run MD5 over the password field in the authenticate method, and viola, you have MD5 to store your passwords with. Justin -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:13 PM To: Tomcat Users List Subject: RE: Security Hole - server.xml Note - in reply to Justin - I don't have a multi-tier login So to sumarise I guess the ansswer to this is that Tomcat currently does not support encrypted datasource user/passwd or does not allow the option to enter user/passwd at startup The most one can do is to apply strict unix permissions to server.xml Thomas -Original Message- From: Bob Jacoby [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 17:10 To: [EMAIL PROTECTED] Subject: RE: Security Hole - server.xml I consider things like this. By encrypting the password I'm protecting against casual learning of the password. I'm not really referring to hackers, but administrators of the system. There's a big difference between a hacker and an administrator. What if I need the administrator to add a new entry? Do I tell him to not look at the other entries or hold up some Men in Black gizmo after he's done to make him forget what he saw? How can I prove that the admin knowingly looked at the file to get the passwords as opposed to just making a mistake? If the passwords are encrypted the administrator would have to take a deliberate action to learn the passwords that generally can't be chalked up to a mistake. I think a similar argument applies to why Unix passwords are encrypted. By some of the arguments I've seen in response to the original post people seem to think that if a specific security precaution doesn't absolutely protect the system there's no point in doing it. By that argument, and given that there are no absolutes with respect to security, what's the point of implementing any security in the first place? This question is to those who say it's pointless to encrypt the passwords since they can be discovered via some means - not a general question of why any security should be implemented. :) Bob >>> [EMAIL PROTECTED] 11/26/03 08:09AM >>> > From: Curley, Thomas [mailto:[EMAIL PROTECTED] > I'd feel more secure with an MD5 or SHA1 encrypted user and > password that relying on unix file level security - what > happens if a hacker gets root priv's ? Er ... Without wishing to flame, but if they've got root priv's they can do what they like! They could still sniff the network and get this info what ever the app server, unless you DB server supports SSL in which case it becomes more complex. Although weblogic appears to encrypt this, if you script the startup, the admin username/password is still avaliable and hence the encrypted passwords can be unencrypted (as the app server has to send the password to the DB) - so you just slow someone down, but if they have some brains will get through eventually. Greg > > thanks > > Thomas > > -Original Message- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:51 > To: Tomcat Users List > Subject: Re: Security Hole - server.xml > > > The username and password still need decrypted at some time. > It just makes > the attacker jump through 1 hoop. > > Using file permissions on the config file as well and server > security are the > ways to go. > > -Tim > > Curley, Thomas wrote: > > > Hi all, > > > > A direct question arising from a security review :- > > > > Using a datasource it is possible to remove the > 'username', 'password' or at least encrypt them using > someting like MD5 > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ** > *** > This email and any attachments are confidential and intended > for the sole use of the intended recipient(s).If you receive > this email in error please notify [EMA
RE: Security Hole - server.xml
thanks for your time Justin - I will look into this - T -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 18:17 To: Tomcat Users List Subject: RE: Security Hole - server.xml Well, right, but if you were to inherit from the realm that you wanted to use, you can manipulate the password field in any way that you wish. Unix password shadows are plantext, as are MD5 hashes. All you do now is run MD5 over the password field in the authenticate method, and viola, you have MD5 to store your passwords with. Justin -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:13 PM To: Tomcat Users List Subject: RE: Security Hole - server.xml Note - in reply to Justin - I don't have a multi-tier login So to sumarise I guess the ansswer to this is that Tomcat currently does not support encrypted datasource user/passwd or does not allow the option to enter user/passwd at startup The most one can do is to apply strict unix permissions to server.xml Thomas -Original Message- From: Bob Jacoby [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 17:10 To: [EMAIL PROTECTED] Subject: RE: Security Hole - server.xml I consider things like this. By encrypting the password I'm protecting against casual learning of the password. I'm not really referring to hackers, but administrators of the system. There's a big difference between a hacker and an administrator. What if I need the administrator to add a new entry? Do I tell him to not look at the other entries or hold up some Men in Black gizmo after he's done to make him forget what he saw? How can I prove that the admin knowingly looked at the file to get the passwords as opposed to just making a mistake? If the passwords are encrypted the administrator would have to take a deliberate action to learn the passwords that generally can't be chalked up to a mistake. I think a similar argument applies to why Unix passwords are encrypted. By some of the arguments I've seen in response to the original post people seem to think that if a specific security precaution doesn't absolutely protect the system there's no point in doing it. By that argument, and given that there are no absolutes with respect to security, what's the point of implementing any security in the first place? This question is to those who say it's pointless to encrypt the passwords since they can be discovered via some means - not a general question of why any security should be implemented. :) Bob >>> [EMAIL PROTECTED] 11/26/03 08:09AM >>> > From: Curley, Thomas [mailto:[EMAIL PROTECTED] > I'd feel more secure with an MD5 or SHA1 encrypted user and > password that relying on unix file level security - what > happens if a hacker gets root priv's ? Er ... Without wishing to flame, but if they've got root priv's they can do what they like! They could still sniff the network and get this info what ever the app server, unless you DB server supports SSL in which case it becomes more complex. Although weblogic appears to encrypt this, if you script the startup, the admin username/password is still avaliable and hence the encrypted passwords can be unencrypted (as the app server has to send the password to the DB) - so you just slow someone down, but if they have some brains will get through eventually. Greg > > thanks > > Thomas > > -Original Message- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:51 > To: Tomcat Users List > Subject: Re: Security Hole - server.xml > > > The username and password still need decrypted at some time. > It just makes > the attacker jump through 1 hoop. > > Using file permissions on the config file as well and server > security are the > ways to go. > > -Tim > > Curley, Thomas wrote: > > > Hi all, > > > > A direct question arising from a security review :- > > > > Using a datasource it is possible to remove the > 'username', 'password' or at least encrypt them using > someting like MD5 > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ** > *** > This email and any attachments are confidential and intended > for the sole use of the intended recipient(s).If you receive > this email in error please notify [EMAIL PROTECTED] > and delete it from your system. Any unauthorized > dissemination, retransmission, or copying of this email and > any attachments is prohibited. Euroconex does not accept any
RE: Security Hole - server.xml
Well, right, but if you were to inherit from the realm that you wanted to use, you can manipulate the password field in any way that you wish. Unix password shadows are plantext, as are MD5 hashes. All you do now is run MD5 over the password field in the authenticate method, and viola, you have MD5 to store your passwords with. Justin -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:13 PM To: Tomcat Users List Subject: RE: Security Hole - server.xml Note - in reply to Justin - I don't have a multi-tier login So to sumarise I guess the ansswer to this is that Tomcat currently does not support encrypted datasource user/passwd or does not allow the option to enter user/passwd at startup The most one can do is to apply strict unix permissions to server.xml Thomas -Original Message- From: Bob Jacoby [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 17:10 To: [EMAIL PROTECTED] Subject: RE: Security Hole - server.xml I consider things like this. By encrypting the password I'm protecting against casual learning of the password. I'm not really referring to hackers, but administrators of the system. There's a big difference between a hacker and an administrator. What if I need the administrator to add a new entry? Do I tell him to not look at the other entries or hold up some Men in Black gizmo after he's done to make him forget what he saw? How can I prove that the admin knowingly looked at the file to get the passwords as opposed to just making a mistake? If the passwords are encrypted the administrator would have to take a deliberate action to learn the passwords that generally can't be chalked up to a mistake. I think a similar argument applies to why Unix passwords are encrypted. By some of the arguments I've seen in response to the original post people seem to think that if a specific security precaution doesn't absolutely protect the system there's no point in doing it. By that argument, and given that there are no absolutes with respect to security, what's the point of implementing any security in the first place? This question is to those who say it's pointless to encrypt the passwords since they can be discovered via some means - not a general question of why any security should be implemented. :) Bob >>> [EMAIL PROTECTED] 11/26/03 08:09AM >>> > From: Curley, Thomas [mailto:[EMAIL PROTECTED] > I'd feel more secure with an MD5 or SHA1 encrypted user and > password that relying on unix file level security - what > happens if a hacker gets root priv's ? Er ... Without wishing to flame, but if they've got root priv's they can do what they like! They could still sniff the network and get this info what ever the app server, unless you DB server supports SSL in which case it becomes more complex. Although weblogic appears to encrypt this, if you script the startup, the admin username/password is still avaliable and hence the encrypted passwords can be unencrypted (as the app server has to send the password to the DB) - so you just slow someone down, but if they have some brains will get through eventually. Greg > > thanks > > Thomas > > -Original Message- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:51 > To: Tomcat Users List > Subject: Re: Security Hole - server.xml > > > The username and password still need decrypted at some time. > It just makes > the attacker jump through 1 hoop. > > Using file permissions on the config file as well and server > security are the > ways to go. > > -Tim > > Curley, Thomas wrote: > > > Hi all, > > > > A direct question arising from a security review :- > > > > Using a datasource it is possible to remove the > 'username', 'password' or at least encrypt them using > someting like MD5 > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ** > *** > This email and any attachments are confidential and intended > for the sole use of the intended recipient(s).If you receive > this email in error please notify [EMAIL PROTECTED] > and delete it from your system. Any unauthorized > dissemination, retransmission, or copying of this email and > any attachments is prohibited. Euroconex does not accept any > responsibility for any breach of confidence, which may arise > from the use of email. Please note that any views or opinions > presented in this email are solely those of the author and do > not necess
RE: Security Hole - server.xml
Note - in reply to Justin - I don't have a multi-tier login So to sumarise I guess the ansswer to this is that Tomcat currently does not support encrypted datasource user/passwd or does not allow the option to enter user/passwd at startup The most one can do is to apply strict unix permissions to server.xml Thomas -Original Message- From: Bob Jacoby [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 17:10 To: [EMAIL PROTECTED] Subject: RE: Security Hole - server.xml I consider things like this. By encrypting the password I'm protecting against casual learning of the password. I'm not really referring to hackers, but administrators of the system. There's a big difference between a hacker and an administrator. What if I need the administrator to add a new entry? Do I tell him to not look at the other entries or hold up some Men in Black gizmo after he's done to make him forget what he saw? How can I prove that the admin knowingly looked at the file to get the passwords as opposed to just making a mistake? If the passwords are encrypted the administrator would have to take a deliberate action to learn the passwords that generally can't be chalked up to a mistake. I think a similar argument applies to why Unix passwords are encrypted. By some of the arguments I've seen in response to the original post people seem to think that if a specific security precaution doesn't absolutely protect the system there's no point in doing it. By that argument, and given that there are no absolutes with respect to security, what's the point of implementing any security in the first place? This question is to those who say it's pointless to encrypt the passwords since they can be discovered via some means - not a general question of why any security should be implemented. :) Bob >>> [EMAIL PROTECTED] 11/26/03 08:09AM >>> > From: Curley, Thomas [mailto:[EMAIL PROTECTED] > I'd feel more secure with an MD5 or SHA1 encrypted user and > password that relying on unix file level security - what > happens if a hacker gets root priv's ? Er ... Without wishing to flame, but if they've got root priv's they can do what they like! They could still sniff the network and get this info what ever the app server, unless you DB server supports SSL in which case it becomes more complex. Although weblogic appears to encrypt this, if you script the startup, the admin username/password is still avaliable and hence the encrypted passwords can be unencrypted (as the app server has to send the password to the DB) - so you just slow someone down, but if they have some brains will get through eventually. Greg > > thanks > > Thomas > > -Original Message- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:51 > To: Tomcat Users List > Subject: Re: Security Hole - server.xml > > > The username and password still need decrypted at some time. > It just makes > the attacker jump through 1 hoop. > > Using file permissions on the config file as well and server > security are the > ways to go. > > -Tim > > Curley, Thomas wrote: > > > Hi all, > > > > A direct question arising from a security review :- > > > > Using a datasource it is possible to remove the > 'username', 'password' or at least encrypt them using > someting like MD5 > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ** > *** > This email and any attachments are confidential and intended > for the sole use of the intended recipient(s).If you receive > this email in error please notify [EMAIL PROTECTED] > and delete it from your system. Any unauthorized > dissemination, retransmission, or copying of this email and > any attachments is prohibited. Euroconex does not accept any > responsibility for any breach of confidence, which may arise > from the use of email. Please note that any views or opinions > presented in this email are solely those of the author and do > not necessarily represent those of the Company. This message > has been scanned for known computer viruses. > ** > *** > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional co
RE: Security Hole - server.xml
I consider things like this. By encrypting the password I'm protecting against casual learning of the password. I'm not really referring to hackers, but administrators of the system. There's a big difference between a hacker and an administrator. What if I need the administrator to add a new entry? Do I tell him to not look at the other entries or hold up some Men in Black gizmo after he's done to make him forget what he saw? How can I prove that the admin knowingly looked at the file to get the passwords as opposed to just making a mistake? If the passwords are encrypted the administrator would have to take a deliberate action to learn the passwords that generally can't be chalked up to a mistake. I think a similar argument applies to why Unix passwords are encrypted. By some of the arguments I've seen in response to the original post people seem to think that if a specific security precaution doesn't absolutely protect the system there's no point in doing it. By that argument, and given that there are no absolutes with respect to security, what's the point of implementing any security in the first place? This question is to those who say it's pointless to encrypt the passwords since they can be discovered via some means - not a general question of why any security should be implemented. :) Bob >>> [EMAIL PROTECTED] 11/26/03 08:09AM >>> > From: Curley, Thomas [mailto:[EMAIL PROTECTED] > I'd feel more secure with an MD5 or SHA1 encrypted user and > password that relying on unix file level security - what > happens if a hacker gets root priv's ? Er ... Without wishing to flame, but if they've got root priv's they can do what they like! They could still sniff the network and get this info what ever the app server, unless you DB server supports SSL in which case it becomes more complex. Although weblogic appears to encrypt this, if you script the startup, the admin username/password is still avaliable and hence the encrypted passwords can be unencrypted (as the app server has to send the password to the DB) - so you just slow someone down, but if they have some brains will get through eventually. Greg > > thanks > > Thomas > > -Original Message- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:51 > To: Tomcat Users List > Subject: Re: Security Hole - server.xml > > > The username and password still need decrypted at some time. > It just makes > the attacker jump through 1 hoop. > > Using file permissions on the config file as well and server > security are the > ways to go. > > -Tim > > Curley, Thomas wrote: > > > Hi all, > > > > A direct question arising from a security review :- > > > > Using a datasource it is possible to remove the > 'username', 'password' or at least encrypt them using > someting like MD5 > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ** > *** > This email and any attachments are confidential and intended > for the sole use of the intended recipient(s).If you receive > this email in error please notify [EMAIL PROTECTED] > and delete it from your system. Any unauthorized > dissemination, retransmission, or copying of this email and > any attachments is prohibited. Euroconex does not accept any > responsibility for any breach of confidence, which may arise > from the use of email. Please note that any views or opinions > presented in this email are solely those of the author and do > not necessarily represent those of the Company. This message > has been scanned for known computer viruses. > ** > *** > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Hole - server.xml
> From: Curley, Thomas [mailto:[EMAIL PROTECTED] > I'd feel more secure with an MD5 or SHA1 encrypted user and > password that relying on unix file level security - what > happens if a hacker gets root priv's ? Er ... Without wishing to flame, but if they've got root priv's they can do what they like! They could still sniff the network and get this info what ever the app server, unless you DB server supports SSL in which case it becomes more complex. Although weblogic appears to encrypt this, if you script the startup, the admin username/password is still avaliable and hence the encrypted passwords can be unencrypted (as the app server has to send the password to the DB) - so you just slow someone down, but if they have some brains will get through eventually. Greg > > thanks > > Thomas > > -Original Message- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:51 > To: Tomcat Users List > Subject: Re: Security Hole - server.xml > > > The username and password still need decrypted at some time. > It just makes > the attacker jump through 1 hoop. > > Using file permissions on the config file as well and server > security are the > ways to go. > > -Tim > > Curley, Thomas wrote: > > > Hi all, > > > > A direct question arising from a security review :- > > > > Using a datasource it is possible to remove the > 'username', 'password' or at least encrypt them using > someting like MD5 > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ** > *** > This email and any attachments are confidential and intended > for the sole use of the intended recipient(s).If you receive > this email in error please notify [EMAIL PROTECTED] > and delete it from your system. Any unauthorized > dissemination, retransmission, or copying of this email and > any attachments is prohibited. Euroconex does not accept any > responsibility for any breach of confidence, which may arise > from the use of email. Please note that any views or opinions > presented in this email are solely those of the author and do > not necessarily represent those of the Company. This message > has been scanned for known computer viruses. > ** > *** > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Hole - server.xml
The link below is for users logging-in (FORM or BASIC). Not for database connections. -Tim [EMAIL PROTECTED] wrote: A direct question arising from a security review :- Using a datasource it is possible to remove the 'username', 'password' or at least encrypt them using someting like MD5 The Password can be digested. See http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20Passwords - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Hole - server.xml
> A direct question arising from a security review :- > > Using a datasource it is possible to remove the 'username', > 'password' or at least encrypt them using someting like MD5 The Password can be digested. See http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20Passwords -- Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Hole - server.xml
You're not reusing the passwords anywhere else in the system (IE, you don't have a multi-tier login, do you?) If you do, you can quite feasibly shadow the passwords. I don't know if such an implementation exists in tomcat, but I would assume that someone, somewhere, has written a realm implementation that works with a .htaccess file, if not, you can always connect Tomcat to Apache. Having written a customized realm implementation only yesterday, I can assure you that it isn't too terribly difficult to do so, as the security is pretty well laid out in Tomcat. Justin -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:53 AM To: Tomcat Users List Subject: RE: Security Hole - server.xml I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on unix file level security - what happens if a hacker gets root priv's ? thanks Thomas -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:51 To: Tomcat Users List Subject: Re: Security Hole - server.xml The username and password still need decrypted at some time. It just makes the attacker jump through 1 hoop. Using file permissions on the config file as well and server security are the ways to go. -Tim Curley, Thomas wrote: > Hi all, > > A direct question arising from a security review :- > > Using a datasource it is possible to remove the 'username', 'password' or at least > encrypt them using someting like MD5 > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Hole - server.xml
If a hacker gets root privileges, the username and password for tomcat are the least of your concerns. On Wednesday 26 November 2003 08:53 am, Curley, Thomas wrote: > I'd feel more secure with an MD5 or SHA1 encrypted user and password that > relying on unix file level security - what happens if a hacker gets root > priv's ? > > thanks > > Thomas > > -Original Message- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: 26 November 2003 13:51 > To: Tomcat Users List > Subject: Re: Security Hole - server.xml > > > The username and password still need decrypted at some time. It just makes > the attacker jump through 1 hoop. > > Using file permissions on the config file as well and server security are > the ways to go. > > -Tim > > Curley, Thomas wrote: > > Hi all, > > > > A direct question arising from a security review :- > > > > Using a datasource it is possible to remove the 'username', 'password' > > or at least encrypt them using someting like MD5 > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > *** >** This email and any attachments are confidential and > intended for the sole use of the intended recipient(s).If you receive this > email in error please notify [EMAIL PROTECTED] and delete it from > your system. Any unauthorized dissemination, retransmission, or copying of > this email and any attachments is prohibited. Euroconex does not accept any > responsibility for any breach of confidence, which may arise from the use > of email. Please note that any views or opinions presented in this email > are solely those of the author and do not necessarily represent those of > the Company. This message has been scanned for known computer viruses. > *** >** > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Souther F.W. Davison & Company, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Hole - server.xml
To connect to a database, you need the *real* userid password. (IIRC) SHA1 and MD5 are both one way hashes so you can't use it to for database connectivity. The only feasible alternative (which isn't present in tomcat) is too force a password to be entered by keyboard on tomcat startup to allow decryption of passwords. (Like protected keys for ssl) -Tim Curley, Thomas wrote: I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on unix file level security - what happens if a hacker gets root priv's ? thanks Thomas -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:51 To: Tomcat Users List Subject: Re: Security Hole - server.xml The username and password still need decrypted at some time. It just makes the attacker jump through 1 hoop. Using file permissions on the config file as well and server security are the ways to go. -Tim Curley, Thomas wrote: Hi all, A direct question arising from a security review :- Using a datasource it is possible to remove the 'username', 'password' or at least encrypt them using someting like MD5 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Hole - server.xml
I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on unix file level security - what happens if a hacker gets root priv's ? thanks Thomas -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:51 To: Tomcat Users List Subject: Re: Security Hole - server.xml The username and password still need decrypted at some time. It just makes the attacker jump through 1 hoop. Using file permissions on the config file as well and server security are the ways to go. -Tim Curley, Thomas wrote: > Hi all, > > A direct question arising from a security review :- > > Using a datasource it is possible to remove the 'username', 'password' or at least > encrypt them using someting like MD5 > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Hole - server.xml
The username and password still need decrypted at some time. It just makes the attacker jump through 1 hoop. Using file permissions on the config file as well and server security are the ways to go. -Tim Curley, Thomas wrote: Hi all, A direct question arising from a security review :- Using a datasource it is possible to remove the 'username', 'password' or at least encrypt them using someting like MD5 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows/ Tomcat with JRE 1.4.2 (b28)
Search the archives - I think this a JDK 1.4.2 related bug. -Tim Asaf Barkan wrote: The syndrome is that when typing: http://myurl:8080/myfile.jsp%20 http://myurl:8080/myfile.jsp%20 The JSP code is delivered to the client. I have checked this on the followed platforms: Win2k server (SP3) JRE 1.4.2 (b28) IIS 5/Tomcat HTTP 1.1 connector It works but it is not consistent (could be some race case). BTW I have tried this on 1.4.2 (b2) and I could not compromise this hole. I have encountered a discussion on a similar issue with a recommendation to add the following argument to the Tomcat string: -Dsun.io.useCanonCaches=false I have tried this and it solved the problem. Can some tell me whether there are other solutions and what this parameter means ? Thanks a lot This email has been scanned for all viruses. Mercury Interactive Corporation Optimizing Business Processes to Maximize Business Results http://www.merc-int.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Ok guys,
What could I have turned on that would have allowed this bug to happen?
I can make it happen in both tomcat and tomcat through apache. (Most
recent of both) I can provide a site where it DOES happen so you guys
can see what is happening.
> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:07 PM
> To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
>
>
> sorry, I don't know - I don't use Apache. This was just a
> thought that I
> had.
>
> I do not have this problem 4.1.24 on Win2k
>
> Charlie
>
> > -Original Message-
> > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 11:49 AM
> > To: Tomcat Users List
> > Subject: RE: security hole on windows tomcat?
> >
> >
> > Charlie,
> > How do you fix this within apache?
> >
> > > -Original Message-
> > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, August 11, 2003 10:15 AM
> > > To: 'Tomcat Users List'
> > > Subject: RE: security hole on windows tomcat?
> > >
> > >
> > > do you have apache on the front end and are you only mapping
> > > *.jsp where
> > > *.jsp%20 is not a match and apache would then serve the
> > file as text?
> > >
> > > Charlie
> > >
> > > > -Original Message-
> > > > From: John Turner [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, August 11, 2003 9:22 AM
> > > > To: Tomcat Users List
> > > > Subject: Re: security hole on windows tomcat?
> > > >
> > > >
> > > >
> > > > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> > > >
> > > > John
> > > >
> > > > Paul Sundling("Webdaddy") wrote:
> > > >
> > > > > I came across what appears to be a security hole when
> > > > running tomcat.
> > > > > I'm not sure how widespread it is, but my linux server is
> > > > safe, yet my
> > > > > windows XP, tomcat 4.1.24 is vulnerable.
> > > > >
> > > > > I found that if you append %20 to a jsp page it shows the
> > > > source code
> > > > > instead of displaying the page:
> > > > >
> > > > > http://192.168.1.54:8080/index.jsp
> > > > > http://192.168.1.54:8080/index.jsp%20 > > > index.jsp>
> > > > >
> > > > > So how widespread is this?
> > > > >
> > > > > Paul Sundling
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> -
> > > > > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > > > > For additional commands, e-mail:
> > > [EMAIL PROTECTED]
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> -
> > > > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > > > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > > >
> > >
> > >
> >
> -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> > >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Charlie,
How do you fix this within apache?
> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 10:15 AM
> To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
>
>
> do you have apache on the front end and are you only mapping
> *.jsp where
> *.jsp%20 is not a match and apache would then serve the file as text?
>
> Charlie
>
> > -Original Message-
> > From: John Turner [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 9:22 AM
> > To: Tomcat Users List
> > Subject: Re: security hole on windows tomcat?
> >
> >
> >
> > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> >
> > John
> >
> > Paul Sundling("Webdaddy") wrote:
> >
> > > I came across what appears to be a security hole when
> > running tomcat.
> > > I'm not sure how widespread it is, but my linux server is
> > safe, yet my
> > > windows XP, tomcat 4.1.24 is vulnerable.
> > >
> > > I found that if you append %20 to a jsp page it shows the
> > source code
> > > instead of displaying the page:
> > >
> > > http://192.168.1.54:8080/index.jsp
> > > http://192.168.1.54:8080/index.jsp%20 > index.jsp>
> > >
> > > So how widespread is this?
> > >
> > > Paul Sundling
> > >
> > >
> > >
> >
> -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> >
> >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Let's see the Tomcat-only link. John Angus Mezick wrote: Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
I never changed the mime-mapping when I installed it. I run tomcat
manually or as a manual service. When I tried running tomcat as an
automatic service, it had trouble. The only changes I made were in
configs specific to webapps. The problem is present on the unmodified
examples webapp. The only two jars I added in the SDK were the JDBC
drivers for postrgres and mysql.
Paul Sundling
Cox, Charlie wrote:
did you change any mime-mappings in conf/web.xml? could you have a "jsp " in
there somewhere defining it as text?
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Ok guys,
What could I have turned on that would have allowed this bug
to happen?
I can make it happen in both tomcat and tomcat through apache. (Most
recent of both) I can provide a site where it DOES happen so you guys
can see what is happening.
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have this problem 4.1.24 on Win2k
Charlie
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 11:49 AM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Charlie,
How do you fix this within apache?
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:15 AM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
do you have apache on the front end and are you only mapping
*.jsp where
*.jsp%20 is not a match and apache would then serve the
file as text?
Charlie
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 9:22 AM
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when
running tomcat.
I'm not sure how widespread it is, but my linux server is
safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the
source code
instead of displaying the page:
http://192.168.1.54:8080/index.jsp
http://192.168.1.54:8080/index.jsp%20
index.jsp>
So how widespread is this?
Paul Sundling
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml
and post the log.
> -Original Message-
> From: Angus Mezick [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:39 PM
> To: Tomcat Users List
> Subject: RE: security hole on windows tomcat?
>
>
> Nope, but this mime mapping exists.
>
> jspf
> text/plain
>
>
> > -Original Message-
> > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 12:15 PM
> > To: 'Tomcat Users List'
> > Subject: RE: security hole on windows tomcat?
> >
> >
> > did you change any mime-mappings in conf/web.xml? could you
> > have a "jsp " in
> > there somewhere defining it as text?
> >
> > > -Original Message-
> > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, August 11, 2003 12:15 PM
> > > To: Tomcat Users List
> > > Subject: RE: security hole on windows tomcat?
> > >
> > >
> > > Ok guys,
> > > What could I have turned on that would have allowed this bug
> > > to happen?
> > > I can make it happen in both tomcat and tomcat through
> > apache. (Most
> > > recent of both) I can provide a site where it DOES happen
> > so you guys
> > > can see what is happening.
> > >
> > > > -Original Message-
> > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, August 11, 2003 12:07 PM
> > > > To: 'Tomcat Users List'
> > > > Subject: RE: security hole on windows tomcat?
> > > >
> > > >
> > > > sorry, I don't know - I don't use Apache. This was just a
> > > > thought that I
> > > > had.
> > > >
> > > > I do not have this problem 4.1.24 on Win2k
> > > >
> > > > Charlie
> > > >
> > > > > -Original Message-
> > > > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > > > > Sent: Monday, August 11, 2003 11:49 AM
> > > > > To: Tomcat Users List
> > > > > Subject: RE: security hole on windows tomcat?
> > > > >
> > > > >
> > > > > Charlie,
> > > > > How do you fix this within apache?
> > > > >
> > > > > > -Original Message-
> > > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > > > > Sent: Monday, August 11, 2003 10:15 AM
> > > > > > To: 'Tomcat Users List'
> > > > > > Subject: RE: security hole on windows tomcat?
> > > > > >
> > > > > >
> > > > > > do you have apache on the front end and are you
> only mapping
> > > > > > *.jsp where
> > > > > > *.jsp%20 is not a match and apache would then serve the
> > > > > file as text?
> > > > > >
> > > > > > Charlie
> > > > > >
> > > > > > > -Original Message-
> > > > > > > From: John Turner [mailto:[EMAIL PROTECTED]
> > > > > > > Sent: Monday, August 11, 2003 9:22 AM
> > > > > > > To: Tomcat Users List
> > > > > > > Subject: Re: security hole on windows tomcat?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> > > > > > >
> > > > > > > John
> > > > > > >
> > > > > > > Paul Sundling("Webdaddy") wrote:
> > > > > > >
> > > > > > > > I came across what appears to be a security hole when
> > > > > > > running tomcat.
> > > > > > > > I'm not sure how widespread it is, but my linux
> server is
> > > > > > > safe, yet my
> > > > > > > > windows XP, tomcat 4.1.24 is vulnerable.
> > > > > > > >
> > > > > > > > I found that if you append %20 to a jsp page it
> shows the
> > > > > > > source code
> > > > > > > > instead of displaying the page:
> > > > > > > >
> > > > > > > > http://192.
RE: security hole on windows tomcat?
can you turn on debugging for the default servlet(conf/web.xml) and also
turn on the requestdumpervalve(server.xml) and post the log.
> -Original Message-
> From: Paul Sundling [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 8:43 PM
> To: Tomcat Users List
> Subject: Re: security hole on windows tomcat?
>
>
> I never changed the mime-mapping when I installed it. I run tomcat
> manually or as a manual service. When I tried running tomcat as an
> automatic service, it had trouble. The only changes I made were in
> configs specific to webapps. The problem is present on the
> unmodified
> examples webapp. The only two jars I added in the SDK were the JDBC
> drivers for postrgres and mysql.
>
> Paul Sundling
>
> Cox, Charlie wrote:
>
> >did you change any mime-mappings in conf/web.xml? could you
> have a "jsp " in
> >there somewhere defining it as text?
> >
> >
> >
> >>-Original Message-
> >>From: Angus Mezick [mailto:[EMAIL PROTECTED]
> >>Sent: Monday, August 11, 2003 12:15 PM
> >>To: Tomcat Users List
> >>Subject: RE: security hole on windows tomcat?
> >>
> >>
> >>Ok guys,
> >>What could I have turned on that would have allowed this bug
> >>to happen?
> >>I can make it happen in both tomcat and tomcat through
> apache. (Most
> >>recent of both) I can provide a site where it DOES happen
> so you guys
> >>can see what is happening.
> >>
> >>
> >>
> >>>-Original Message-
> >>>From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> >>>Sent: Monday, August 11, 2003 12:07 PM
> >>>To: 'Tomcat Users List'
> >>>Subject: RE: security hole on windows tomcat?
> >>>
> >>>
> >>>sorry, I don't know - I don't use Apache. This was just a
> >>>thought that I
> >>>had.
> >>>
> >>>I do not have this problem 4.1.24 on Win2k
> >>>
> >>>Charlie
> >>>
> >>>
> >>>
> >>>>-Original Message-
> >>>>From: Angus Mezick [mailto:[EMAIL PROTECTED]
> >>>>Sent: Monday, August 11, 2003 11:49 AM
> >>>>To: Tomcat Users List
> >>>>Subject: RE: security hole on windows tomcat?
> >>>>
> >>>>
> >>>>Charlie,
> >>>>How do you fix this within apache?
> >>>>
> >>>>
> >>>>
> >>>>>-----Original Message-
> >>>>>From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> >>>>>Sent: Monday, August 11, 2003 10:15 AM
> >>>>>To: 'Tomcat Users List'
> >>>>>Subject: RE: security hole on windows tomcat?
> >>>>>
> >>>>>
> >>>>>do you have apache on the front end and are you only mapping
> >>>>>*.jsp where
> >>>>>*.jsp%20 is not a match and apache would then serve the
> >>>>>
> >>>>>
> >>>>file as text?
> >>>>
> >>>>
> >>>>>Charlie
> >>>>>
> >>>>>
> >>>>>
> >>>>>>-Original Message-
> >>>>>>From: John Turner [mailto:[EMAIL PROTECTED]
> >>>>>>Sent: Monday, August 11, 2003 9:22 AM
> >>>>>>To: Tomcat Users List
> >>>>>>Subject: Re: security hole on windows tomcat?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> >>>>>>
> >>>>>>John
> >>>>>>
> >>>>>>Paul Sundling("Webdaddy") wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>I came across what appears to be a security hole when
> >>>>>>>
> >>>>>>>
> >>>>>>running tomcat.
> >>>>>>
> >>>>>>
> >>>>>>>I'm not sure how widespread it is, but my linux server is
> >>>>>>>
> >>>>>>>
> >>>>>>safe, yet my
> >
Re: security hole on windows tomcat?
Can't replicate your problem, tried both linux and win2k
Version of tomcat is the same as yours.
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
http://192.168.1.54:8080/index.jsp
http://192.168.1.54:8080/index.jsp%20
So how widespread is this?
Paul Sundling
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
sorry, I overlooked where you mentioned it was the default install.
please post a link
Charlie
> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:15 PM
> To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
>
>
> did you change any mime-mappings in conf/web.xml? could you
> have a "jsp " in
> there somewhere defining it as text?
>
> > -Original Message-
> > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 12:15 PM
> > To: Tomcat Users List
> > Subject: RE: security hole on windows tomcat?
> >
> >
> > Ok guys,
> > What could I have turned on that would have allowed this bug
> > to happen?
> > I can make it happen in both tomcat and tomcat through
> apache. (Most
> > recent of both) I can provide a site where it DOES happen
> so you guys
> > can see what is happening.
> >
> > > -Original Message-
> > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, August 11, 2003 12:07 PM
> > > To: 'Tomcat Users List'
> > > Subject: RE: security hole on windows tomcat?
> > >
> > >
> > > sorry, I don't know - I don't use Apache. This was just a
> > > thought that I
> > > had.
> > >
> > > I do not have this problem 4.1.24 on Win2k
> > >
> > > Charlie
> > >
> > > > -Original Message-
> > > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, August 11, 2003 11:49 AM
> > > > To: Tomcat Users List
> > > > Subject: RE: security hole on windows tomcat?
> > > >
> > > >
> > > > Charlie,
> > > > How do you fix this within apache?
> > > >
> > > > > -Original Message-
> > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > > > Sent: Monday, August 11, 2003 10:15 AM
> > > > > To: 'Tomcat Users List'
> > > > > Subject: RE: security hole on windows tomcat?
> > > > >
> > > > >
> > > > > do you have apache on the front end and are you only mapping
> > > > > *.jsp where
> > > > > *.jsp%20 is not a match and apache would then serve the
> > > > file as text?
> > > > >
> > > > > Charlie
> > > > >
> > > > > > -Original Message-
> > > > > > From: John Turner [mailto:[EMAIL PROTECTED]
> > > > > > Sent: Monday, August 11, 2003 9:22 AM
> > > > > > To: Tomcat Users List
> > > > > > Subject: Re: security hole on windows tomcat?
> > > > > >
> > > > > >
> > > > > >
> > > > > > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> > > > > >
> > > > > > John
> > > > > >
> > > > > > Paul Sundling("Webdaddy") wrote:
> > > > > >
> > > > > > > I came across what appears to be a security hole when
> > > > > > running tomcat.
> > > > > > > I'm not sure how widespread it is, but my linux server is
> > > > > > safe, yet my
> > > > > > > windows XP, tomcat 4.1.24 is vulnerable.
> > > > > > >
> > > > > > > I found that if you append %20 to a jsp page it shows the
> > > > > > source code
> > > > > > > instead of displaying the page:
> > > > > > >
> > > > > > > http://192.168.1.54:8080/index.jsp as expected>
> > > > > > > http://192.168.1.54:8080/index.jsp%20 source code of
> > > > > > index.jsp>
> > > > > > >
> > > > > > > So how widespread is this?
> > > > > > >
> > > > > > > Paul Sundling
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> -
> > > > > > > To unsubscribe, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail:
> > > > > [EMAIL PROTECTED
RE: security hole on windows tomcat?
ARGH! This has gone to just being an apache problem. Tomcat seems to have self corrected. I am very confused but will keep looking. Apache still does it though. > -Original Message- > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > Sent: Monday, August 11, 2003 12:40 PM > To: 'Tomcat Users List' > Subject: RE: security hole on windows tomcat? > > > can you turn on debug for the defaultservlet - set it to 99 > in conf/web.xml > and post the log. > > > -Original Message- > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > Sent: Monday, August 11, 2003 12:39 PM > > To: Tomcat Users List > > Subject: RE: security hole on windows tomcat? > > > > > > Nope, but this mime mapping exists. > > > > jspf > > text/plain > > > > > > > -Original Message- > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > > > Sent: Monday, August 11, 2003 12:15 PM > > > To: 'Tomcat Users List' > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > did you change any mime-mappings in conf/web.xml? could you > > > have a "jsp " in > > > there somewhere defining it as text? > > > > > > > -Original Message- > > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, August 11, 2003 12:15 PM > > > > To: Tomcat Users List > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > Ok guys, > > > > What could I have turned on that would have allowed this bug > > > > to happen? > > > > I can make it happen in both tomcat and tomcat through > > > apache. (Most > > > > recent of both) I can provide a site where it DOES happen > > > so you guys > > > > can see what is happening. > > > > > > > > > -Original Message- > > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > > > > > Sent: Monday, August 11, 2003 12:07 PM > > > > > To: 'Tomcat Users List' > > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > > > > sorry, I don't know - I don't use Apache. This was just a > > > > > thought that I > > > > > had. > > > > > > > > > > I do not have this problem 4.1.24 on Win2k > > > > > > > > > > Charlie > > > > > > > > > > > -Original Message- > > > > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > > > > > Sent: Monday, August 11, 2003 11:49 AM > > > > > > To: Tomcat Users List > > > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > > > > > > > Charlie, > > > > > > How do you fix this within apache? > > > > > > > > > > > > > -Original Message- > > > > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > > > > > > > Sent: Monday, August 11, 2003 10:15 AM > > > > > > > To: 'Tomcat Users List' > > > > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > > > > > > > > > > do you have apache on the front end and are you > > only mapping > > > > > > > *.jsp where > > > > > > > *.jsp%20 is not a match and apache would then serve the > > > > > > file as text? > > > > > > > > > > > > > > Charlie > > > > > > > > > > > > > > > -Original Message- > > > > > > > > From: John Turner [mailto:[EMAIL PROTECTED] > > > > > > > > Sent: Monday, August 11, 2003 9:22 AM > > > > > > > > To: Tomcat Users List > > > > > > > > Subject: Re: security hole on windows tomcat? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Appending "%20" to my Tomcat 4.1.1x URLs > generates a 404. > > > > > > > > > > > > > > > > John > > > > > > > > > > > > >
Re: security hole on windows tomcat?
Yup. WinXP Tomcat 4.1.27 http://localhost:8080/examples/jsp/num/numguess.jsp%20 = 404 it's interesting on 4.1.24. I have been goofing around with the examples and sometimes I get source and on others I just get freaky output. For example snoop.jsp doesn't show any source but just blank header info. -e On Mon, 11 Aug 2003, John Turner wrote: > > http://localhost:8080/examples/jsp/num/numguess.jsp%20 = 404 > > Win 2K Pro > Tomcat 4.1.27 > > John > > Eric J. Pinnell wrote: > > > Interesting. > > > > WinXP > > Tomcat 4.1.24 > > > > http://localhost:8080/examples/jsp/num/numguess.jsp%20 > > > > I get the source. > > > > -e > > > > On Mon, 11 Aug 2003, John Turner wrote: > > > > > >>Let's see the Tomcat-only link. > >> > >>John > >> > >>Angus Mezick wrote: > >> > >> > >>>Ok guys, > >>>What could I have turned on that would have allowed this bug to happen? > >>>I can make it happen in both tomcat and tomcat through apache. (Most > >>>recent of both) I can provide a site where it DOES happen so you guys > >>>can see what is happening. > >>> > >>> > >>> > >>>>-Original Message- > >>>>From: Cox, Charlie [mailto:[EMAIL PROTECTED] > >>>>Sent: Monday, August 11, 2003 12:07 PM > >>>>To: 'Tomcat Users List' > >>>>Subject: RE: security hole on windows tomcat? > >>>> > >>>> > >>>>sorry, I don't know - I don't use Apache. This was just a > >>>>thought that I > >>>>had. > >>>> > >>>>I do not have this problem 4.1.24 on Win2k > >>>> > >>>>Charlie > >>>> > >>>> > >> > >> > >> > >>- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
fwiw,
windows server 2003 standard edition
j2sdk 1.4.2
jakarta-tomcat-4.1.27-LE-jdk14 zip (not exe)
http://localhost:8080/examples/jsp/num/numguess.jsp%20 problem appeared in
opera 7.11
viewed page in ie 6 and got 404
subsequently got 404 in opera
flicked around other samples in opera and saw similar behaviour
went back to numguess and code was back again, despite hitting refresh!
[e.g. http://localhost:8080/examples/jsp/xml/xml.jsp%20
String getDateTimeStr(Locale l) { DateFormat df =
SimpleDateFormat.getDateTimeInstance(DateFormat.MEDIUM, DateFormat.MEDIUM,
l); return df.format(new Date()); } Example JSP in XML format This is the
output of a simple JSP using XML format. Use a jsp:scriptlet to loop from 1
to 10: // Note we need to declare CDATA because we don't escape the less
than symbol for (int i = 1; i<=10; i++) { out.println(i); if (i < 10) {
out.println(", "); } } Use a jsp:expression to write the date and
time in the browser's locale: getDateTimeStr(request.getLocale())
This sentence is enclosed in a jsp:text element.
which subsequently became a 404]
so, for me, the browser appeared to have something to do with it
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
I think at this point this might be a worthwile canidate for Sun's
bugparade. At least get it on their radars (if they don't know about it
already). It's interesting that the bug doesn't show up in Tomcat 4.1.27.
When 1.4.2 was released 4.1.24 was the latest stable build.
Regardless the JDK/appserver/whatever should never puke it's guts and spit
out the source code when it gets a request it doesn't know how to deal
with. Upon failure it should result in some kind of error. Sun might
care about this...
-e
On Tue, 12 Aug 2003, Jeff Tulley wrote:
> It is highly possible that this is dependent on the JVM you have
> installed. I actually finally WAS able to see this on Windows XP, but
> only if Tomcat was running on JVM 1.4.2. The problem did NOT happen
> with 1.4.1. Of course, JVM version is the one item I left off of my
> "poll" in my email below. :)
>
> I'm trying to verify this on other OS's and track down what the actual
> problem is.
>
> But, if you run Tomcat on JVM 1.4.2, verify if you have this problem.
>
> Jeff Tulley ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
>
> >>> [EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
> Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via
> either port 8080 or port 80 - pages return fine without the %20
> suffix,
> always return http 404 with the suffix.
>
> Murray
> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 13 August 2003 02:41
> To: [EMAIL PROTECTED]
> Subject: RE: security hole on windows tomcat?
>
>
> So this issue is confusing. It seems that indeed there IS an issue,
> though most cannot see a problem.
> Talking to some people off-list, it seems that some think it is a JK2
> /
> workers2.properties issue. But I'm pretty sure that others have seen
> this going directly to port 8080.
> We probably need to take a quick poll:
>
> If you have seen this security problem of being able to view JSP
> source, in what scenario(s)?
>
> Tomcat version
> OS version
> Directly to Tomcat ("8080") or through Apache - JK or JK2?
> (If you've seen the problem, please include your workers or
> workers2.properties file, with a .txt extension)
> Browser version(s)
> url's where this was seen or not seen
>
> If you have seen this in multiple scenarios, and not in others, please
> list each separately.
>
>
> I have NOT seen it in the following scenarios:
>
> Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
> Windows 2000 5.00.2195 Service Pack 4
> Directly to port 8080
> Internet Explorer 6.0.2800.1106 with all security patches up to date
> I tried http://(url):8080/index.jsp%20
>
> Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
> adding one JNDIRealm beyond the default config)
> Novell NetWare 6.5
> Directly to port 8080, and through Apache - mod_jk.nlm
> Internet Explorer 6.0.2800.1106 with all security patches up to date
> I tried http://(url):8080/index.jsp%20 and
> https://(url)/tomcat/admin/index.jsp%20
>
>
> Hopefully this mail gets through; I haven't been seeing my emails show
> up on tomcat-user for some reason (I un/resubscribed today...)
>
> It would be really good to get to the bottom of this!
>
> Jeff Tulley ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
>
> >>> [EMAIL PROTECTED] 8/12/03 6:02:55 AM >>>
> can you turn on debugging for the default servlet(conf/web.xml) and
> also
> turn on the requestdumpervalve(server.xml) and post the log.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
which operating system?
Paul
John Turner wrote:
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet
my windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
http://192.168.1.54:8080/index.jsp
http://192.168.1.54:8080/index.jsp%20
So how widespread is this?
Paul Sundling
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows Apache -> Tomcat?
I ONLY see the problem in apache. So I think it is a config problem. Will the jk2 URI : [uri:www.SITENAME.org/*.jsp] catch www.SITENAME.org/index.jsp%20 ? When I turn on the accessvalve tomcat doesn't see this request. > -Original Message- > From: Jeff Tulley [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2003 11:24 AM > To: [EMAIL PROTECTED] > Subject: RE: security hole on windows Apache -> Tomcat? > > > Yes, but all Apache does is redirect the request to Tomcat > for handling. > Tomcat itself decides whether to compile the JSP or serve > the file as a > "static file" (and hence, show the source). I saw this problem both > directly to Tomcat (8080), and through Apache integration, until I did > the workaround. > > There IS somebody on the Tomcat development list who still has the > problem -- he is running Tomcat as a Windows Service, with Apache > integration, and the workaround doesn't seem to work. I cannot > duplicate since I don't run it as a service or use mod_jk2 like he is. > > Are you sure you still see this with the workaround? It went away for > me even with my apache-served urls. Also, is backrevving the JVM to > 1.4.1 an option for you? I'd try that and see if that fixes the > problem. > > The behaviour of your site WAS exactly the same as mine once > I was able > to get the problem to happen on my box, so it seems like we are all > seeing the same thing. > > Jeff Tulley ([EMAIL PROTECTED]) > (801)861-5322 > Novell, Inc., The Leading Provider of Net Business Solutions > http://www.novell.com > > >>> [EMAIL PROTECTED] 8/13/03 6:53:39 AM >>> > Ok. I have this problem but it isn't tomcat that is doing the serving > of the JSP source. It is apache. This is my workers2.properties uri > section: > > > [uri:www.SITENAME.org/*.jsp] > group=lbWWW > [uri:www.SITENAME.org/*.adp] > group=lbWWW > [uri:www.SITENAME.org/*.inc] > group=lbWWW > [uri:www.SITENAME.org/servlet/*] > group=lbWWW > [uri:www.SITENAME.org/*.gs] > group=lbWWW > > > I am guessing the problem is because > http://www.SITENAME.org/index.jsp%20 is not a match for > http://www.SITENAME.org/*.jsp (that trailing space messes stuff up. > Should I just create a RedirectMatch for this case that removes all > trailing whitespace? Would mod_rewrite be better for this? I am > using > this list for this question because I KNOW the apache list doesn't > want > tomcat integration questions. > --Angus > > > > -Original Message- > > From: Jeff Tulley [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 12, 2003 9:14 PM > > To: [EMAIL PROTECTED] > > Subject: Re: security hole on windows tomcat? > > > > > > I've verified that this workaround stops the problem on Win XP's > 1.4.2 > > and on NetWare's 1.4.2 > > > > Jeff Tulley ([EMAIL PROTECTED]) > > (801)861-5322 > > Novell, Inc., The Leading Provider of Net Business Solutions > > http://www.novell.com > > > > >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>> > > Sorry I've just realize this thread may be related to bugtraq > > #4895132 > > > > (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The > > workaround > > is to add the following property when starting Tomcat: > > > > -Dsun.io.useCanonCaches=false > > > > Can someone try it and let me know if it change something. > If this is > > > not working, then point me to a very simple test case and I > > will file a > > > > new bugtraq bug. > > > > -- Jeanfrancois > > > > > > Eric J. Pinnell wrote: > > > > >I think at this point this might be a worthwile canidate for Sun's > > >bugparade. At least get it on their radars (if they don't know > about > > it > > >already). It's interesting that the bug doesn't show up in Tomcat > > 4.1.27. > > >When 1.4.2 was released 4.1.24 was the latest stable build. > > > > > >Regardless the JDK/appserver/whatever should never puke it's guts > and > > spit > > >out the source code when it gets a request it doesn't know how to > > deal > > >with. Upon failure it should result in some kind of error. Sun > > might > > >care about this... > > > > > >-e > > > > > >On Tue, 12 Aug 2003, Jeff Tulley wrote: > > > > > > > > > > > >>It is highly possible that this is dependent on the JVM you have > > >>ins
Re: security hole on windows tomcat?
I've verified that this workaround stops the problem on Win XP's 1.4.2
and on NetWare's 1.4.2
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>>
Sorry I've just realize this thread may be related to bugtraq #4895132
(thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The
workaround
is to add the following property when starting Tomcat:
-Dsun.io.useCanonCaches=false
Can someone try it and let me know if it change something. If this is
not working, then point me to a very simple test case and I will file a
new bugtraq bug.
-- Jeanfrancois
Eric J. Pinnell wrote:
>I think at this point this might be a worthwile canidate for Sun's
>bugparade. At least get it on their radars (if they don't know about
it
>already). It's interesting that the bug doesn't show up in Tomcat
4.1.27.
>When 1.4.2 was released 4.1.24 was the latest stable build.
>
>Regardless the JDK/appserver/whatever should never puke it's guts and
spit
>out the source code when it gets a request it doesn't know how to
deal
>with. Upon failure it should result in some kind of error. Sun
might
>care about this...
>
>-e
>
>On Tue, 12 Aug 2003, Jeff Tulley wrote:
>
>
>
>>It is highly possible that this is dependent on the JVM you have
>>installed. I actually finally WAS able to see this on Windows XP,
but
>>only if Tomcat was running on JVM 1.4.2. The problem did NOT happen
>>with 1.4.1. Of course, JVM version is the one item I left off of my
>>"poll" in my email below. :)
>>
>>I'm trying to verify this on other OS's and track down what the
actual
>>problem is.
>>
>>But, if you run Tomcat on JVM 1.4.2, verify if you have this
problem.
>>
>>Jeff Tulley ([EMAIL PROTECTED])
>>(801)861-5322
>>Novell, Inc., The Leading Provider of Net Business Solutions
>>http://www.novell.com
>>
>>
>>
>>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
>>>>>
>>>>>
>>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost
via
>>either port 8080 or port 80 - pages return fine without the %20
>>suffix,
>>always return http 404 with the suffix.
>>
>>Murray
>>-Original Message-
>>From: Jeff Tulley [mailto:[EMAIL PROTECTED]
>>Sent: Wednesday, 13 August 2003 02:41
>>To: [EMAIL PROTECTED]
>>Subject: RE: security hole on windows tomcat?
>>
>>
>>So this issue is confusing. It seems that indeed there IS an issue,
>>though most cannot see a problem.
>>Talking to some people off-list, it seems that some think it is a
JK2
>>/
>>workers2.properties issue. But I'm pretty sure that others have
seen
>>this going directly to port 8080.
>>We probably need to take a quick poll:
>>
>>If you have seen this security problem of being able to view JSP
>>source, in what scenario(s)?
>>
>>Tomcat version
>>OS version
>>Directly to Tomcat ("8080") or through Apache - JK or JK2?
>>(If you've seen the problem, please include your workers or
>>workers2.properties file, with a .txt extension)
>>Browser version(s)
>>url's where this was seen or not seen
>>
>>If you have seen this in multiple scenarios, and not in others,
please
>>list each separately.
>>
>>
>>I have NOT seen it in the following scenarios:
>>
>>Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
>>Windows 2000 5.00.2195 Service Pack 4
>>Directly to port 8080
>>Internet Explorer 6.0.2800.1106 with all security patches up to date
>>I tried http://(url):8080/index.jsp%20
>>
>>Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
>>adding one JNDIRealm beyond the default config)
>>Novell NetWare 6.5
>>Directly to port 8080, and through Apache - mod_jk.nlm
>>Internet Explorer 6.0.2800.1106 with all security patches up to date
>>I tried http://(url):8080/index.jsp%20 and
>>https://(url)/tomcat/admin/index.jsp%20
>>
>>
>>Hopefully this mail gets through; I haven't been seeing my emails
show
>>up on tomcat-user for some reason (I un/resubscribed today...)
>>
>>It would be really good to get to the bottom of this!
>>
>>Jeff Tulley ([EMAIL PROTECTED])
>>(801)861-5322
>>Novell, Inc., The Leading Provider of Net Business Solutions
>>http://www.novell.com
>>
>>
>>
>>>>>[E
RE: security hole on windows tomcat?
What about your 4.1.2X URLS? Like the current release. I have the
latest apache serving to 4.1.27 and I CAN see the jsp code!
> -Original Message-
> From: John Turner [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 9:22 AM
> To: Tomcat Users List
> Subject: Re: security hole on windows tomcat?
>
>
>
> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>
> John
>
> Paul Sundling("Webdaddy") wrote:
>
> > I came across what appears to be a security hole when
> running tomcat.
> > I'm not sure how widespread it is, but my linux server is
> safe, yet my
> > windows XP, tomcat 4.1.24 is vulnerable.
> >
> > I found that if you append %20 to a jsp page it shows the
> source code
> > instead of displaying the page:
> >
> > http://192.168.1.54:8080/index.jsp
> > http://192.168.1.54:8080/index.jsp%20 index.jsp>
> >
> > So how widespread is this?
> >
> > Paul Sundling
> >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Howdy, You are making sure to clean your browser's cache between each test, right? Yoav Shapira Millennium ChemInformatics >-Original Message- >From: Angus Mezick [mailto:[EMAIL PROTECTED] >Sent: Monday, August 11, 2003 12:56 PM >To: Tomcat Users List >Subject: RE: security hole on windows tomcat? > >ARGH! This has gone to just being an apache problem. Tomcat seems to >have self corrected. I am very confused but will keep looking. Apache >still does it though. > >> -Original Message- >> From: Cox, Charlie [mailto:[EMAIL PROTECTED] >> Sent: Monday, August 11, 2003 12:40 PM >> To: 'Tomcat Users List' >> Subject: RE: security hole on windows tomcat? >> >> >> can you turn on debug for the defaultservlet - set it to 99 >> in conf/web.xml >> and post the log. >> >> > -Original Message- >> > From: Angus Mezick [mailto:[EMAIL PROTECTED] >> > Sent: Monday, August 11, 2003 12:39 PM >> > To: Tomcat Users List >> > Subject: RE: security hole on windows tomcat? >> > >> > >> > Nope, but this mime mapping exists. >> > >> > jspf >> > text/plain >> > >> > >> > > -Original Message- >> > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] >> > > Sent: Monday, August 11, 2003 12:15 PM >> > > To: 'Tomcat Users List' >> > > Subject: RE: security hole on windows tomcat? >> > > >> > > >> > > did you change any mime-mappings in conf/web.xml? could you >> > > have a "jsp " in >> > > there somewhere defining it as text? >> > > >> > > > -Original Message- >> > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] >> > > > Sent: Monday, August 11, 2003 12:15 PM >> > > > To: Tomcat Users List >> > > > Subject: RE: security hole on windows tomcat? >> > > > >> > > > >> > > > Ok guys, >> > > > What could I have turned on that would have allowed this bug >> > > > to happen? >> > > > I can make it happen in both tomcat and tomcat through >> > > apache. (Most >> > > > recent of both) I can provide a site where it DOES happen >> > > so you guys >> > > > can see what is happening. >> > > > >> > > > > -Original Message- >> > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] >> > > > > Sent: Monday, August 11, 2003 12:07 PM >> > > > > To: 'Tomcat Users List' >> > > > > Subject: RE: security hole on windows tomcat? >> > > > > >> > > > > >> > > > > sorry, I don't know - I don't use Apache. This was just a >> > > > > thought that I >> > > > > had. >> > > > > >> > > > > I do not have this problem 4.1.24 on Win2k >> > > > > >> > > > > Charlie >> > > > > >> > > > > > -Original Message- >> > > > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] >> > > > > > Sent: Monday, August 11, 2003 11:49 AM >> > > > > > To: Tomcat Users List >> > > > > > Subject: RE: security hole on windows tomcat? >> > > > > > >> > > > > > >> > > > > > Charlie, >> > > > > > How do you fix this within apache? >> > > > > > >> > > > > > > -Original Message- >> > > > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] >> > > > > > > Sent: Monday, August 11, 2003 10:15 AM >> > > > > > > To: 'Tomcat Users List' >> > > > > > > Subject: RE: security hole on windows tomcat? >> > > > > > > >> > > > > > > >> > > > > > > do you have apache on the front end and are you >> > only mapping >> > > > > > > *.jsp where >> > > > > > > *.jsp%20 is not a match and apache would then serve the >> > > > > > file as text? >> > > > > > > >> > > > > > > Charlie >> > > > > > > >> > > > > > > > -Original Message- >> > > > > &g
Re: security hole on windows Apache -> Tomcat?
You actually do can that if you had a servlet on the outside that forwarded the request to the appropriate JSPs.A simple example is if you use the struts framework, the following is an example of how you could use that approach. I just tested it and it worked fine: [snip from struts-config.xml] [end snip] Angus Mezick wrote: Not at the current late stage of development we are currently in. I know, it bites. I am going to try a trick with RedirectMatch. Maybe just redirect them into limbo, I don't know. -Original Message- From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 11:45 AM To: Tomcat Users List Subject: RE: security hole on windows Apache -> Tomcat? Can you arrange your file layout in a way, that the jsp's aren't under the document root for apache ? (I guess they are, otherwise apache couldn't show them) -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 5:34 PM To: Tomcat Users List Subject: RE: security hole on windows Apache -> Tomcat? I ONLY see the problem in apache. So I think it is a config problem. Will the jk2 URI : [uri:www.SITENAME.org/*.jsp] catch www.SITENAME.org/index.jsp%20 ? When I turn on the accessvalve tomcat doesn't see this request. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
did you change any mime-mappings in conf/web.xml? could you have a "jsp " in
there somewhere defining it as text?
> -Original Message-
> From: Angus Mezick [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:15 PM
> To: Tomcat Users List
> Subject: RE: security hole on windows tomcat?
>
>
> Ok guys,
> What could I have turned on that would have allowed this bug
> to happen?
> I can make it happen in both tomcat and tomcat through apache. (Most
> recent of both) I can provide a site where it DOES happen so you guys
> can see what is happening.
>
> > -Original Message-
> > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 12:07 PM
> > To: 'Tomcat Users List'
> > Subject: RE: security hole on windows tomcat?
> >
> >
> > sorry, I don't know - I don't use Apache. This was just a
> > thought that I
> > had.
> >
> > I do not have this problem 4.1.24 on Win2k
> >
> > Charlie
> >
> > > -Original Message-
> > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, August 11, 2003 11:49 AM
> > > To: Tomcat Users List
> > > Subject: RE: security hole on windows tomcat?
> > >
> > >
> > > Charlie,
> > > How do you fix this within apache?
> > >
> > > > -Original Message-
> > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, August 11, 2003 10:15 AM
> > > > To: 'Tomcat Users List'
> > > > Subject: RE: security hole on windows tomcat?
> > > >
> > > >
> > > > do you have apache on the front end and are you only mapping
> > > > *.jsp where
> > > > *.jsp%20 is not a match and apache would then serve the
> > > file as text?
> > > >
> > > > Charlie
> > > >
> > > > > -Original Message-
> > > > > From: John Turner [mailto:[EMAIL PROTECTED]
> > > > > Sent: Monday, August 11, 2003 9:22 AM
> > > > > To: Tomcat Users List
> > > > > Subject: Re: security hole on windows tomcat?
> > > > >
> > > > >
> > > > >
> > > > > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> > > > >
> > > > > John
> > > > >
> > > > > Paul Sundling("Webdaddy") wrote:
> > > > >
> > > > > > I came across what appears to be a security hole when
> > > > > running tomcat.
> > > > > > I'm not sure how widespread it is, but my linux server is
> > > > > safe, yet my
> > > > > > windows XP, tomcat 4.1.24 is vulnerable.
> > > > > >
> > > > > > I found that if you append %20 to a jsp page it shows the
> > > > > source code
> > > > > > instead of displaying the page:
> > > > > >
> > > > > > http://192.168.1.54:8080/index.jsp
> > > > > > http://192.168.1.54:8080/index.jsp%20 > > > > index.jsp>
> > > > > >
> > > > > > So how widespread is this?
> > > > > >
> > > > > > Paul Sundling
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> -
> > > > > > To unsubscribe, e-mail:
> > > [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> -
> > > > > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > > > > For additional commands, e-mail:
> > > [EMAIL PROTECTED]
> > > > >
> > > >
> > > >
> > >
> >
> -
> > > > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > > > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > > >
> > > >
> > >
> > >
> >
> -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows Apache -> Tomcat?
Can you arrange your file layout in a way, that the jsp's aren't under the document root for apache ? (I guess they are, otherwise apache couldn't show them) > -Original Message- > From: Angus Mezick [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2003 5:34 PM > To: Tomcat Users List > Subject: RE: security hole on windows Apache -> Tomcat? > > > I ONLY see the problem in apache. So I think it is a config problem. > Will the jk2 URI : > [uri:www.SITENAME.org/*.jsp] catch www.SITENAME.org/index.jsp%20 ? > When I turn on the accessvalve tomcat doesn't see this request. > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Hi,
I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that
with Tomcat 4.0.1 on Redhat and it was ok too..
- Original Message -
From: "Paul Sundling("Webdaddy")" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, August 10, 2003 7:00 AM
Subject: security hole on windows tomcat?
> I came across what appears to be a security hole when running tomcat.
> I'm not sure how widespread it is, but my linux server is safe, yet my
> windows XP, tomcat 4.1.24 is vulnerable.
>
> I found that if you append %20 to a jsp page it shows the source code
> instead of displaying the page:
>
> http://192.168.1.54:8080/index.jsp
> http://192.168.1.54:8080/index.jsp%20
>
> So how widespread is this?
>
> Paul Sundling
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Howdy,
Same here, tomcat 4.1.27 on win2k pro, installed from the zip file not
as a service, and started via startup.bat, no problems.
Yoav Shapira
Millennium ChemInformatics
>-Original Message-
>From: John Turner [mailto:[EMAIL PROTECTED]
>Sent: Monday, August 11, 2003 12:02 PM
>To: Tomcat Users List
>Subject: Re: security hole on windows tomcat?
>
>
>Red Hat Linux.
>
>I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
>minutes ago, .exe install, installed as service).
>
>http://localhost/john/test.jsp%20 = 404
>
>John
>
>Paul Sundling wrote:
>
>> which operating system?
>>
>> Paul
>>
>> John Turner wrote:
>>
>>>
>>> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>>>
>>> John
>>>
>>> Paul Sundling("Webdaddy") wrote:
>>>
>>>> I came across what appears to be a security hole when running
tomcat.
>>>> I'm not sure how widespread it is, but my linux server is safe, yet
>>>> my windows XP, tomcat 4.1.24 is vulnerable.
>>>>
>>>> I found that if you append %20 to a jsp page it shows the source
code
>>>> instead of displaying the page:
>>>>
>>>> http://192.168.1.54:8080/index.jsp
>>>> http://192.168.1.54:8080/index.jsp%20
>>>>
>>>> So how widespread is this?
>>>>
>>>> Paul Sundling
>>>>
>>>>
>>>>
-
>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> For additional commands, e-mail:
[EMAIL PROTECTED]
>>>>
>>>
>>>
>>>
>>>
-
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
This e-mail, including any attachments, is a confidential business communication, and
may contain information that is confidential, proprietary and/or privileged. This
e-mail is intended only for the individual(s) to whom it is addressed, and may not be
saved, copied, printed, disclosed or used by anyone else. If you are not the(an)
intended recipient, please immediately delete this e-mail from your computer system
and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via
either port 8080 or port 80 - pages return fine without the %20 suffix,
always return http 404 with the suffix.
Murray
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2 /
workers2.properties issue. But I'm pretty sure that others have seen
this going directly to port 8080.
We probably need to take a quick poll:
If you have seen this security problem of being able to view JSP
source, in what scenario(s)?
Tomcat version
OS version
Directly to Tomcat ("8080") or through Apache - JK or JK2?
(If you've seen the problem, please include your workers or
workers2.properties file, with a .txt extension)
Browser version(s)
url's where this was seen or not seen
If you have seen this in multiple scenarios, and not in others, please
list each separately.
I have NOT seen it in the following scenarios:
Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
Windows 2000 5.00.2195 Service Pack 4
Directly to port 8080
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20
Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
adding one JNDIRealm beyond the default config)
Novell NetWare 6.5
Directly to port 8080, and through Apache - mod_jk.nlm
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20 and
https://(url)/tomcat/admin/index.jsp%20
Hopefully this mail gets through; I haven't been seeing my emails show
up on tomcat-user for some reason (I un/resubscribed today...)
It would be really good to get to the bottom of this!
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> [EMAIL PROTECTED] 8/12/03 6:02:55 AM >>>
can you turn on debugging for the default servlet(conf/web.xml) and
also
turn on the requestdumpervalve(server.xml) and post the log.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
I think you should also include the JDK (vendor and version).
It's not impossible that this might be a JDK problem.
> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 12, 2003 6:41 PM
> To: [EMAIL PROTECTED]
> Subject: RE: security hole on windows tomcat?
>
>
> OS version
> Directly to Tomcat ("8080") or through Apache - JK or JK2?
> (If you've seen the problem, please include your workers or
> workers2.properties file, with a .txt extension)
> Browser version(s)
> url's where this was seen or not seen
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Interesting. WinXP Tomcat 4.1.24 http://localhost:8080/examples/jsp/num/numguess.jsp%20 I get the source. -e On Mon, 11 Aug 2003, John Turner wrote: > > Let's see the Tomcat-only link. > > John > > Angus Mezick wrote: > > > Ok guys, > > What could I have turned on that would have allowed this bug to happen? > > I can make it happen in both tomcat and tomcat through apache. (Most > > recent of both) I can provide a site where it DOES happen so you guys > > can see what is happening. > > > > > >>-Original Message- > >>From: Cox, Charlie [mailto:[EMAIL PROTECTED] > >>Sent: Monday, August 11, 2003 12:07 PM > >>To: 'Tomcat Users List' > >>Subject: RE: security hole on windows tomcat? > >> > >> > >>sorry, I don't know - I don't use Apache. This was just a > >>thought that I > >>had. > >> > >>I do not have this problem 4.1.24 on Win2k > >> > >>Charlie > >> > >> > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
It is highly possible that this is dependent on the JVM you have
installed. I actually finally WAS able to see this on Windows XP, but
only if Tomcat was running on JVM 1.4.2. The problem did NOT happen
with 1.4.1. Of course, JVM version is the one item I left off of my
"poll" in my email below. :)
I'm trying to verify this on other OS's and track down what the actual
problem is.
But, if you run Tomcat on JVM 1.4.2, verify if you have this problem.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> [EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via
either port 8080 or port 80 - pages return fine without the %20
suffix,
always return http 404 with the suffix.
Murray
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2
/
workers2.properties issue. But I'm pretty sure that others have seen
this going directly to port 8080.
We probably need to take a quick poll:
If you have seen this security problem of being able to view JSP
source, in what scenario(s)?
Tomcat version
OS version
Directly to Tomcat ("8080") or through Apache - JK or JK2?
(If you've seen the problem, please include your workers or
workers2.properties file, with a .txt extension)
Browser version(s)
url's where this was seen or not seen
If you have seen this in multiple scenarios, and not in others, please
list each separately.
I have NOT seen it in the following scenarios:
Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
Windows 2000 5.00.2195 Service Pack 4
Directly to port 8080
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20
Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
adding one JNDIRealm beyond the default config)
Novell NetWare 6.5
Directly to port 8080, and through Apache - mod_jk.nlm
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20 and
https://(url)/tomcat/admin/index.jsp%20
Hopefully this mail gets through; I haven't been seeing my emails show
up on tomcat-user for some reason (I un/resubscribed today...)
It would be really good to get to the bottom of this!
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> [EMAIL PROTECTED] 8/12/03 6:02:55 AM >>>
can you turn on debugging for the default servlet(conf/web.xml) and
also
turn on the requestdumpervalve(server.xml) and post the log.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
http://localhost:8080/examples/jsp/num/numguess.jsp%20 = 404 Win 2K Pro Tomcat 4.1.27 John Eric J. Pinnell wrote: Interesting. WinXP Tomcat 4.1.24 http://localhost:8080/examples/jsp/num/numguess.jsp%20 I get the source. -e On Mon, 11 Aug 2003, John Turner wrote: Let's see the Tomcat-only link. John Angus Mezick wrote: Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Mr. Sundling: i'm running tomcat 4.1.27 and that does not appear to be an issue. I used "http://localhost:8080/jweb/left.jsp%20"; as my url. -Original Message- From: Spam Email [mailto:[EMAIL PROTECTED] Sent: Sunday, August 10, 2003 4:18 PM To: [EMAIL PROTECTED] Subject: security hole on windows tomcat? I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp http://192.168.1.54:8080/index.jsp%20 So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
yep, you're correct that the JDK was important in solving this. In case
you didn't get the message below, the guys tracked it down to being a
problem in JDK 1.4.2 . I'll remember to include that information next time.
Paul Sundling
Ralph Einfeldt wrote:
I think you should also include the JDK (vendor and version).
It's not impossible that this might be a JDK problem.
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 6:41 PM
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
OS version
Directly to Tomcat ("8080") or through Apache - JK or JK2?
(If you've seen the problem, please include your workers or
workers2.properties file, with a .txt extension)
Browser version(s)
url's where this was seen or not seen
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
Yes, adding
-Dsun.io.useCanonCaches=false
to the tomcat seemed to fix the security hole I discovered on my 4.1.24
tomcat on Windows XP using JDK 1.4.2. Great job finding a solution.
It's a testament to open source and cooperation. Fortunately it's JSP
source it's showing and people should have anything worth seeing in
their servlets or EJBs anyway.
Paul Sundling
Jeff Tulley wrote:
I just wanted to make sure you saw this -- Jeanfrancois made the
connection that this issue has a known workaround, so you don't have to
backrev your JVM if you don't want to.
I tried this on Windows XP and NetWare and it worked in both places...
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
[EMAIL PROTECTED] 8/12/03 7:08:50 PM >>>
Sorry I've just realize this thread may be related to bugtraq #4895132
(thanks to Jeff for the wake up mail on tomcat-dev ). The
workaround is to add the following property when starting Tomcat:
-Dsun.io.useCanonCaches=false
Can someone try it and let me know if it change something. If this is
not working, then point me to a very simple test case and I will file a
new bugtraq bug.
-- Jeanfrancois
Eric J. Pinnell wrote:
I think at this point this might be a worthwile canidate for Sun's
bugparade. At least get it on their radars (if they don't know about
it
already). It's interesting that the bug doesn't show up in Tomcat
4.1.27.
When 1.4.2 was released 4.1.24 was the latest stable build.
Regardless the JDK/appserver/whatever should never puke it's guts and
spit
out the source code when it gets a request it doesn't know how to
deal
with. Upon failure it should result in some kind of error. Sun
might
care about this...
-e
On Tue, 12 Aug 2003, Jeff Tulley wrote:
It is highly possible that this is dependent on the JVM you have
installed. I actually finally WAS able to see this on Windows XP,
but
only if Tomcat was running on JVM 1.4.2. The problem did NOT happen
with 1.4.1. Of course, JVM version is the one item I left off of my
"poll" in my email below.
I'm trying to verify this on other OS's and track down what the
actual
problem is.
But, if you run Tomcat on JVM 1.4.2, verify if you have this
problem.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost
via
either port 8080 or port 80 - pages return fine without the %20
suffix,
always return http 404 with the suffix.
Murray
-----Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13
August 2003 02:41
To: [EMAIL PROTECTED] Subject: RE: security hole on
windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a
JK2
/
workers2.properties issue. But I'm pretty sure that others have
seen
this going directly to port 8080.
We probably need to take a quick poll:
If you have seen this security problem of being able to view JSP
source, in what scenario(s)?
Tomcat version
OS version
Directly to Tomcat ("8080") or through Apache - JK or JK2?
(If you've seen the problem, please include your workers or
workers2.properties file, with a .txt extension)
Browser version(s)
url's where this was seen or not seen
If you have seen this in multiple scenarios, and not in others,
please
list each separately.
I have NOT seen it in the following scenarios:
Tomcat 4.1.18, 4.1.24, 4.1.26,
RE: security hole on windows tomcat?
I just saw this with 4.1.24 on win2k as well. EXTREMELY disturbing!
> -Original Message-
> From: Mikko Hämäläinen [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 8:18 AM
> To: Tomcat Users List
> Subject: Re: security hole on windows tomcat?
>
>
> Hi,
> I use Tomcat 4.1.18 on win2k and it seems to be safe, I also
> tested that
> with Tomcat 4.0.1 on Redhat and it was ok too..
>
>
> - Original Message -
> From: "Paul Sundling("Webdaddy")" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, August 10, 2003 7:00 AM
> Subject: security hole on windows tomcat?
>
>
> > I came across what appears to be a security hole when
> running tomcat.
> > I'm not sure how widespread it is, but my linux server is
> safe, yet my
> > windows XP, tomcat 4.1.24 is vulnerable.
> >
> > I found that if you append %20 to a jsp page it shows the
> source code
> > instead of displaying the page:
> >
> > http://192.168.1.54:8080/index.jsp
> > http://192.168.1.54:8080/index.jsp%20 index.jsp>
> >
> > So how widespread is this?
> >
> > Paul Sundling
> >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Sorry I've just realize this thread may be related to bugtraq #4895132
(thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The workaround
is to add the following property when starting Tomcat:
-Dsun.io.useCanonCaches=false
Can someone try it and let me know if it change something. If this is
not working, then point me to a very simple test case and I will file a
new bugtraq bug.
-- Jeanfrancois
Eric J. Pinnell wrote:
I think at this point this might be a worthwile canidate for Sun's
bugparade. At least get it on their radars (if they don't know about it
already). It's interesting that the bug doesn't show up in Tomcat 4.1.27.
When 1.4.2 was released 4.1.24 was the latest stable build.
Regardless the JDK/appserver/whatever should never puke it's guts and spit
out the source code when it gets a request it doesn't know how to deal
with. Upon failure it should result in some kind of error. Sun might
care about this...
-e
On Tue, 12 Aug 2003, Jeff Tulley wrote:
It is highly possible that this is dependent on the JVM you have
installed. I actually finally WAS able to see this on Windows XP, but
only if Tomcat was running on JVM 1.4.2. The problem did NOT happen
with 1.4.1. Of course, JVM version is the one item I left off of my
"poll" in my email below. :)
I'm trying to verify this on other OS's and track down what the actual
problem is.
But, if you run Tomcat on JVM 1.4.2, verify if you have this problem.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via
either port 8080 or port 80 - pages return fine without the %20
suffix,
always return http 404 with the suffix.
Murray
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2
/
workers2.properties issue. But I'm pretty sure that others have seen
this going directly to port 8080.
We probably need to take a quick poll:
If you have seen this security problem of being able to view JSP
source, in what scenario(s)?
Tomcat version
OS version
Directly to Tomcat ("8080") or through Apache - JK or JK2?
(If you've seen the problem, please include your workers or
workers2.properties file, with a .txt extension)
Browser version(s)
url's where this was seen or not seen
If you have seen this in multiple scenarios, and not in others, please
list each separately.
I have NOT seen it in the following scenarios:
Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
Windows 2000 5.00.2195 Service Pack 4
Directly to port 8080
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20
Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
adding one JNDIRealm beyond the default config)
Novell NetWare 6.5
Directly to port 8080, and through Apache - mod_jk.nlm
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20 and
https://(url)/tomcat/admin/index.jsp%20
Hopefully this mail gets through; I haven't been seeing my emails show
up on tomcat-user for some reason (I un/resubscribed today...)
It would be really good to get to the bottom of this!
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
[EMAIL PROTECTED] 8/12/03 6:02:55 AM >>>
can you turn on debugging for the default servlet(conf/web.xml) and
also
turn on the requestdumpervalve(server.xml) and post the log.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
http://192.168.1.54:8080/index.jsp
http://192.168.1.54:8080/index.jsp%20
So how widespread is this?
Paul Sundling
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
It's a default tomcat 4.1.24 install on windows XP with no apache.
You'll note I used port 8080 in my sample, so I'm going directly to
tomcat. I went through the web.xml and there is a mapping for *.jsp and
there is no space. Even if there were, there's no space in the file itself.
So be sure to mention operating system. I was only able to recreate it
on windows, not on linux.
Paul Sundling
Cox, Charlie wrote:
do you have apache on the front end and are you only mapping *.jsp where
*.jsp%20 is not a match and apache would then serve the file as text?
Charlie
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 9:22 AM
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when
running tomcat.
I'm not sure how widespread it is, but my linux server is
safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the
source code
instead of displaying the page:
http://192.168.1.54:8080/index.jsp
http://192.168.1.54:8080/index.jsp%20
index.jsp>
So how widespread is this?
Paul Sundling
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Nope, but this mime mapping exists.
jspf
text/plain
> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 12:15 PM
> To: 'Tomcat Users List'
> Subject: RE: security hole on windows tomcat?
>
>
> did you change any mime-mappings in conf/web.xml? could you
> have a "jsp " in
> there somewhere defining it as text?
>
> > -Original Message-
> > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 12:15 PM
> > To: Tomcat Users List
> > Subject: RE: security hole on windows tomcat?
> >
> >
> > Ok guys,
> > What could I have turned on that would have allowed this bug
> > to happen?
> > I can make it happen in both tomcat and tomcat through
> apache. (Most
> > recent of both) I can provide a site where it DOES happen
> so you guys
> > can see what is happening.
> >
> > > -Original Message-
> > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, August 11, 2003 12:07 PM
> > > To: 'Tomcat Users List'
> > > Subject: RE: security hole on windows tomcat?
> > >
> > >
> > > sorry, I don't know - I don't use Apache. This was just a
> > > thought that I
> > > had.
> > >
> > > I do not have this problem 4.1.24 on Win2k
> > >
> > > Charlie
> > >
> > > > -Original Message-
> > > > From: Angus Mezick [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, August 11, 2003 11:49 AM
> > > > To: Tomcat Users List
> > > > Subject: RE: security hole on windows tomcat?
> > > >
> > > >
> > > > Charlie,
> > > > How do you fix this within apache?
> > > >
> > > > > -Original Message-
> > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > > > > Sent: Monday, August 11, 2003 10:15 AM
> > > > > To: 'Tomcat Users List'
> > > > > Subject: RE: security hole on windows tomcat?
> > > > >
> > > > >
> > > > > do you have apache on the front end and are you only mapping
> > > > > *.jsp where
> > > > > *.jsp%20 is not a match and apache would then serve the
> > > > file as text?
> > > > >
> > > > > Charlie
> > > > >
> > > > > > -Original Message-
> > > > > > From: John Turner [mailto:[EMAIL PROTECTED]
> > > > > > Sent: Monday, August 11, 2003 9:22 AM
> > > > > > To: Tomcat Users List
> > > > > > Subject: Re: security hole on windows tomcat?
> > > > > >
> > > > > >
> > > > > >
> > > > > > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> > > > > >
> > > > > > John
> > > > > >
> > > > > > Paul Sundling("Webdaddy") wrote:
> > > > > >
> > > > > > > I came across what appears to be a security hole when
> > > > > > running tomcat.
> > > > > > > I'm not sure how widespread it is, but my linux server is
> > > > > > safe, yet my
> > > > > > > windows XP, tomcat 4.1.24 is vulnerable.
> > > > > > >
> > > > > > > I found that if you append %20 to a jsp page it shows the
> > > > > > source code
> > > > > > > instead of displaying the page:
> > > > > > >
> > > > > > > http://192.168.1.54:8080/index.jsp as expected>
> > > > > > > http://192.168.1.54:8080/index.jsp%20 source code of
> > > > > > index.jsp>
> > > > > > >
> > > > > > > So how widespread is this?
> > > > > > >
> > > > > > > Paul Sundling
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> -
> > > > > > > To unsubscribe, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail:
> > > > > [EMAIL PROTECTED]
> > > > &
RE: security hole on windows Apache -> Tomcat?
Not at the current late stage of development we are currently in. I know, it bites. I am going to try a trick with RedirectMatch. Maybe just redirect them into limbo, I don't know. > -Original Message- > From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2003 11:45 AM > To: Tomcat Users List > Subject: RE: security hole on windows Apache -> Tomcat? > > > Can you arrange your file layout in a way, that the jsp's aren't > under the document root for apache ? (I guess they are, otherwise > apache couldn't show them) > > > > -Original Message- > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 13, 2003 5:34 PM > > To: Tomcat Users List > > Subject: RE: security hole on windows Apache -> Tomcat? > > > > > > I ONLY see the problem in apache. So I think it is a > config problem. > > Will the jk2 URI : > > [uri:www.SITENAME.org/*.jsp] catch www.SITENAME.org/index.jsp%20 ? > > When I turn on the accessvalve tomcat doesn't see this request. > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
which operating system?
Paul
John Turner wrote:
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet
my windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
http://192.168.1.54:8080/index.jsp
http://192.168.1.54:8080/index.jsp%20
So how widespread is this?
Paul Sundling
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a thought that I
had.
I do not have this problem 4.1.24 on Win2k
Charlie
> -Original Message-
> From: Angus Mezick [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 11:49 AM
> To: Tomcat Users List
> Subject: RE: security hole on windows tomcat?
>
>
> Charlie,
> How do you fix this within apache?
>
> > -Original Message-
> > From: Cox, Charlie [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 11, 2003 10:15 AM
> > To: 'Tomcat Users List'
> > Subject: RE: security hole on windows tomcat?
> >
> >
> > do you have apache on the front end and are you only mapping
> > *.jsp where
> > *.jsp%20 is not a match and apache would then serve the
> file as text?
> >
> > Charlie
> >
> > > -Original Message-----
> > > From: John Turner [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, August 11, 2003 9:22 AM
> > > To: Tomcat Users List
> > > Subject: Re: security hole on windows tomcat?
> > >
> > >
> > >
> > > Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
> > >
> > > John
> > >
> > > Paul Sundling("Webdaddy") wrote:
> > >
> > > > I came across what appears to be a security hole when
> > > running tomcat.
> > > > I'm not sure how widespread it is, but my linux server is
> > > safe, yet my
> > > > windows XP, tomcat 4.1.24 is vulnerable.
> > > >
> > > > I found that if you append %20 to a jsp page it shows the
> > > source code
> > > > instead of displaying the page:
> > > >
> > > > http://192.168.1.54:8080/index.jsp
> > > > http://192.168.1.54:8080/index.jsp%20 > > index.jsp>
> > > >
> > > > So how widespread is this?
> > > >
> > > > Paul Sundling
> > > >
> > > >
> > > >
> > >
> >
> -
> > > > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > > > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > > >
> > >
> > >
> > >
> > >
> >
> -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows Apache -> Tomcat?
Yes, but all Apache does is redirect the request to Tomcat for handling. Tomcat itself decides whether to compile the JSP or serve the file as a "static file" (and hence, show the source). I saw this problem both directly to Tomcat (8080), and through Apache integration, until I did the workaround. There IS somebody on the Tomcat development list who still has the problem -- he is running Tomcat as a Windows Service, with Apache integration, and the workaround doesn't seem to work. I cannot duplicate since I don't run it as a service or use mod_jk2 like he is. Are you sure you still see this with the workaround? It went away for me even with my apache-served urls. Also, is backrevving the JVM to 1.4.1 an option for you? I'd try that and see if that fixes the problem. The behaviour of your site WAS exactly the same as mine once I was able to get the problem to happen on my box, so it seems like we are all seeing the same thing. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/13/03 6:53:39 AM >>> Ok. I have this problem but it isn't tomcat that is doing the serving of the JSP source. It is apache. This is my workers2.properties uri section: [uri:www.SITENAME.org/*.jsp] group=lbWWW [uri:www.SITENAME.org/*.adp] group=lbWWW [uri:www.SITENAME.org/*.inc] group=lbWWW [uri:www.SITENAME.org/servlet/*] group=lbWWW [uri:www.SITENAME.org/*.gs] group=lbWWW I am guessing the problem is because http://www.SITENAME.org/index.jsp%20 is not a match for http://www.SITENAME.org/*.jsp (that trailing space messes stuff up. Should I just create a RedirectMatch for this case that removes all trailing whitespace? Would mod_rewrite be better for this? I am using this list for this question because I KNOW the apache list doesn't want tomcat integration questions. --Angus > -Original Message- > From: Jeff Tulley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 12, 2003 9:14 PM > To: [EMAIL PROTECTED] > Subject: Re: security hole on windows tomcat? > > > I've verified that this workaround stops the problem on Win XP's 1.4.2 > and on NetWare's 1.4.2 > > Jeff Tulley ([EMAIL PROTECTED]) > (801)861-5322 > Novell, Inc., The Leading Provider of Net Business Solutions > http://www.novell.com > > >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>> > Sorry I've just realize this thread may be related to bugtraq > #4895132 > > (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The > workaround > is to add the following property when starting Tomcat: > > -Dsun.io.useCanonCaches=false > > Can someone try it and let me know if it change something. If this is > not working, then point me to a very simple test case and I > will file a > > new bugtraq bug. > > -- Jeanfrancois > > > Eric J. Pinnell wrote: > > >I think at this point this might be a worthwile canidate for Sun's > >bugparade. At least get it on their radars (if they don't know about > it > >already). It's interesting that the bug doesn't show up in Tomcat > 4.1.27. > >When 1.4.2 was released 4.1.24 was the latest stable build. > > > >Regardless the JDK/appserver/whatever should never puke it's guts and > spit > >out the source code when it gets a request it doesn't know how to > deal > >with. Upon failure it should result in some kind of error. Sun > might > >care about this... > > > >-e > > > >On Tue, 12 Aug 2003, Jeff Tulley wrote: > > > > > > > >>It is highly possible that this is dependent on the JVM you have > >>installed. I actually finally WAS able to see this on Windows XP, > but > >>only if Tomcat was running on JVM 1.4.2. The problem did NOT happen > >>with 1.4.1. Of course, JVM version is the one item I left off of my > >>"poll" in my email below. :) > >> > >>I'm trying to verify this on other OS's and track down what the > actual > >>problem is. > >> > >>But, if you run Tomcat on JVM 1.4.2, verify if you have this > problem. > >> > >>Jeff Tulley ([EMAIL PROTECTED]) > >>(801)861-5322 > >>Novell, Inc., The Leading Provider of Net Business Solutions > >>http://www.novell.com > >> > >> > >> > >>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>> > >>>>> > >>>>> > >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost > via > >>either port 8080 or port 80 - pages return fine without the
RE: security hole on windows Apache -> Tomcat?
Here is the redirect that I use in my virtualhost entry in apache: RedirectMatch (.*?)\s+$ http://www.SITENAMEHERE.org$1 Nicely stops the problem of people adding spaces to their url's. (or any other whitespace for that matter) --Angus > -Original Message- > From: Angus Mezick > Sent: Wednesday, August 13, 2003 1:56 PM > To: Tomcat Users List > Subject: RE: security hole on windows Apache -> Tomcat? > > > Not at the current late stage of development we are currently in. I > know, it bites. I am going to try a trick with RedirectMatch. Maybe > just redirect them into limbo, I don't know. > > > -Original Message- > > From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 13, 2003 11:45 AM > > To: Tomcat Users List > > Subject: RE: security hole on windows Apache -> Tomcat? > > > > > > Can you arrange your file layout in a way, that the jsp's aren't > > under the document root for apache ? (I guess they are, otherwise > > apache couldn't show them) > > > > > > > -Original Message----- > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, August 13, 2003 5:34 PM > > > To: Tomcat Users List > > > Subject: RE: security hole on windows Apache -> Tomcat? > > > > > > > > > I ONLY see the problem in apache. So I think it is a > > config problem. > > > Will the jk2 URI : > > > [uri:www.SITENAME.org/*.jsp] catch > www.SITENAME.org/index.jsp%20 ? > > > When I turn on the > accessvalve tomcat doesn't see this request. > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows Apache -> Tomcat?
Ok. I have this problem but it isn't tomcat that is doing the serving
of the JSP source. It is apache. This is my workers2.properties uri
section:
[uri:www.SITENAME.org/*.jsp]
group=lbWWW
[uri:www.SITENAME.org/*.adp]
group=lbWWW
[uri:www.SITENAME.org/*.inc]
group=lbWWW
[uri:www.SITENAME.org/servlet/*]
group=lbWWW
[uri:www.SITENAME.org/*.gs]
group=lbWWW
I am guessing the problem is because
http://www.SITENAME.org/index.jsp%20 is not a match for
http://www.SITENAME.org/*.jsp (that trailing space messes stuff up.
Should I just create a RedirectMatch for this case that removes all
trailing whitespace? Would mod_rewrite be better for this? I am using
this list for this question because I KNOW the apache list doesn't want
tomcat integration questions.
--Angus
> -Original Message-
> From: Jeff Tulley [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 12, 2003 9:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security hole on windows tomcat?
>
>
> I've verified that this workaround stops the problem on Win XP's 1.4.2
> and on NetWare's 1.4.2
>
> Jeff Tulley ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
>
> >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>>
> Sorry I've just realize this thread may be related to bugtraq
> #4895132
>
> (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The
> workaround
> is to add the following property when starting Tomcat:
>
> -Dsun.io.useCanonCaches=false
>
> Can someone try it and let me know if it change something. If this is
> not working, then point me to a very simple test case and I
> will file a
>
> new bugtraq bug.
>
> -- Jeanfrancois
>
>
> Eric J. Pinnell wrote:
>
> >I think at this point this might be a worthwile canidate for Sun's
> >bugparade. At least get it on their radars (if they don't know about
> it
> >already). It's interesting that the bug doesn't show up in Tomcat
> 4.1.27.
> >When 1.4.2 was released 4.1.24 was the latest stable build.
> >
> >Regardless the JDK/appserver/whatever should never puke it's guts and
> spit
> >out the source code when it gets a request it doesn't know how to
> deal
> >with. Upon failure it should result in some kind of error. Sun
> might
> >care about this...
> >
> >-e
> >
> >On Tue, 12 Aug 2003, Jeff Tulley wrote:
> >
> >
> >
> >>It is highly possible that this is dependent on the JVM you have
> >>installed. I actually finally WAS able to see this on Windows XP,
> but
> >>only if Tomcat was running on JVM 1.4.2. The problem did NOT happen
> >>with 1.4.1. Of course, JVM version is the one item I left off of my
> >>"poll" in my email below. :)
> >>
> >>I'm trying to verify this on other OS's and track down what the
> actual
> >>problem is.
> >>
> >>But, if you run Tomcat on JVM 1.4.2, verify if you have this
> problem.
> >>
> >>Jeff Tulley ([EMAIL PROTECTED])
> >>(801)861-5322
> >>Novell, Inc., The Leading Provider of Net Business Solutions
> >>http://www.novell.com
> >>
> >>
> >>
> >>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>>
> >>>>>
> >>>>>
> >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost
> via
> >>either port 8080 or port 80 - pages return fine without the %20
> >>suffix,
> >>always return http 404 with the suffix.
> >>
> >>Murray
> >>-Original Message-
> >>From: Jeff Tulley [mailto:[EMAIL PROTECTED]
> >>Sent: Wednesday, 13 August 2003 02:41
> >>To: [EMAIL PROTECTED]
> >>Subject: RE: security hole on windows tomcat?
> >>
> >>
> >>So this issue is confusing. It seems that indeed there IS an issue,
> >>though most cannot see a problem.
> >>Talking to some people off-list, it seems that some think it is a
> JK2
> >>/
> >>workers2.properties issue. But I'm pretty sure that others have
> seen
> >>this going directly to port 8080.
> >>We probably need to take a quick poll:
> >>
> >>If you have seen this security problem of being able to view JSP
> >>source, in what scenario(s)?
> >>
> >>Tomcat version
> >>OS version
> >>Directly to Tomcat ("8080") or through Apache - JK or JK2?
> >>(If you've seen the problem, please include your workers or
&
RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2 /
workers2.properties issue. But I'm pretty sure that others have seen
this going directly to port 8080.
We probably need to take a quick poll:
If you have seen this security problem of being able to view JSP
source, in what scenario(s)?
Tomcat version
OS version
Directly to Tomcat ("8080") or through Apache - JK or JK2?
(If you've seen the problem, please include your workers or
workers2.properties file, with a .txt extension)
Browser version(s)
url's where this was seen or not seen
If you have seen this in multiple scenarios, and not in others, please
list each separately.
I have NOT seen it in the following scenarios:
Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27
Windows 2000 5.00.2195 Service Pack 4
Directly to port 8080
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20
Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only
adding one JNDIRealm beyond the default config)
Novell NetWare 6.5
Directly to port 8080, and through Apache - mod_jk.nlm
Internet Explorer 6.0.2800.1106 with all security patches up to date
I tried http://(url):8080/index.jsp%20 and
https://(url)/tomcat/admin/index.jsp%20
Hopefully this mail gets through; I haven't been seeing my emails show
up on tomcat-user for some reason (I un/resubscribed today...)
It would be really good to get to the bottom of this!
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> [EMAIL PROTECTED] 8/12/03 6:02:55 AM >>>
can you turn on debugging for the default servlet(conf/web.xml) and
also
turn on the requestdumpervalve(server.xml) and post the log.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
I also cannot see this on Windows 2000, or on NetWare, using Tomcat
4.1.18, 4.1.24, or 4.1.26. On NetWare I tried going through Apache and
through 8080, on Windows port 8080.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> [EMAIL PROTECTED] 8/11/03 10:01:47 AM >>>
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
> which operating system?
>
> Paul
>
> John Turner wrote:
>
>>
>> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>>
>> John
>>
>> Paul Sundling("Webdaddy") wrote:
>>
>>> I came across what appears to be a security hole when running
tomcat.
>>> I'm not sure how widespread it is, but my linux server is safe, yet
>>> my windows XP, tomcat 4.1.24 is vulnerable.
>>>
>>> I found that if you append %20 to a jsp page it shows the source
code
>>> instead of displaying the page:
>>>
>>> http://192.168.1.54:8080/index.jsp
>>> http://192.168.1.54:8080/index.jsp%20
>>>
>>> So how widespread is this?
>>>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
you can also turn on the AccessLogValve in server.xml to show if the request gets to tomcat from apache and to see what it looks like. > -Original Message- > From: Angus Mezick [mailto:[EMAIL PROTECTED] > Sent: Monday, August 11, 2003 12:56 PM > To: Tomcat Users List > Subject: RE: security hole on windows tomcat? > > > ARGH! This has gone to just being an apache problem. Tomcat seems to > have self corrected. I am very confused but will keep > looking. Apache > still does it though. > > > -Original Message- > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > > Sent: Monday, August 11, 2003 12:40 PM > > To: 'Tomcat Users List' > > Subject: RE: security hole on windows tomcat? > > > > > > can you turn on debug for the defaultservlet - set it to 99 > > in conf/web.xml > > and post the log. > > > > > -Original Message- > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > > Sent: Monday, August 11, 2003 12:39 PM > > > To: Tomcat Users List > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > Nope, but this mime mapping exists. > > > > > > jspf > > > text/plain > > > > > > > > > > -Original Message- > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, August 11, 2003 12:15 PM > > > > To: 'Tomcat Users List' > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > did you change any mime-mappings in conf/web.xml? could you > > > > have a "jsp " in > > > > there somewhere defining it as text? > > > > > > > > > -Original Message- > > > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > > > > Sent: Monday, August 11, 2003 12:15 PM > > > > > To: Tomcat Users List > > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > > > > Ok guys, > > > > > What could I have turned on that would have allowed this bug > > > > > to happen? > > > > > I can make it happen in both tomcat and tomcat through > > > > apache. (Most > > > > > recent of both) I can provide a site where it DOES happen > > > > so you guys > > > > > can see what is happening. > > > > > > > > > > > -Original Message- > > > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > > > > > > Sent: Monday, August 11, 2003 12:07 PM > > > > > > To: 'Tomcat Users List' > > > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > > > > > > > sorry, I don't know - I don't use Apache. This was just a > > > > > > thought that I > > > > > > had. > > > > > > > > > > > > I do not have this problem 4.1.24 on Win2k > > > > > > > > > > > > Charlie > > > > > > > > > > > > > -Original Message- > > > > > > > From: Angus Mezick [mailto:[EMAIL PROTECTED] > > > > > > > Sent: Monday, August 11, 2003 11:49 AM > > > > > > > To: Tomcat Users List > > > > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > > > > > > > > > > Charlie, > > > > > > > How do you fix this within apache? > > > > > > > > > > > > > > > -Original Message- > > > > > > > > From: Cox, Charlie [mailto:[EMAIL PROTECTED] > > > > > > > > Sent: Monday, August 11, 2003 10:15 AM > > > > > > > > To: 'Tomcat Users List' > > > > > > > > Subject: RE: security hole on windows tomcat? > > > > > > > > > > > > > > > > > > > > > > > > do you have apache on the front end and are you > > > only mapping > > > > > > > > *.jsp where > > > > > > > > *.jsp%20 is not a match and apache would then serve the > > > > > > > file as text? > >
RE: security hole on windows tomcat?
http://localhost/examples/jsp/num/numguess.jsp%20 = 404 (my tomcat is running on port 80) --- Fabio Moraes [EMAIL PROTECTED] System Engineer Work Force Management System +55 21 3088 9548 -Original Message- From: Eric J. Pinnell [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 13:28 To: Tomcat Users List Subject: Re: security hole on windows tomcat? Interesting. WinXP Tomcat 4.1.24 http://localhost:8080/examples/jsp/num/numguess.jsp%20 I get the source. -e On Mon, 11 Aug 2003, John Turner wrote: > > Let's see the Tomcat-only link. > > John > > Angus Mezick wrote: > > > Ok guys, > > What could I have turned on that would have allowed this bug to happen? > > I can make it happen in both tomcat and tomcat through apache. (Most > > recent of both) I can provide a site where it DOES happen so you guys > > can see what is happening. > > > > > >>-Original Message- > >>From: Cox, Charlie [mailto:[EMAIL PROTECTED] > >>Sent: Monday, August 11, 2003 12:07 PM > >>To: 'Tomcat Users List' > >>Subject: RE: security hole on windows tomcat? > >> > >> > >>sorry, I don't know - I don't use Apache. This was just a > >>thought that I > >>had. > >> > >>I do not have this problem 4.1.24 on Win2k > >> > >>Charlie > >> > >> > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
sorry, that should be http://localhost:8080/john/test.jsp%20 = 404
No Apache is involved.
John
John Turner wrote:
Red Hat Linux.
I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30
minutes ago, .exe install, installed as service).
http://localhost/john/test.jsp%20 = 404
John
Paul Sundling wrote:
which operating system?
Paul
John Turner wrote:
Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling("Webdaddy") wrote:
I came across what appears to be a security hole when running
tomcat. I'm not sure how widespread it is, but my linux server is
safe, yet my windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source
code instead of displaying the page:
http://192.168.1.54:8080/index.jsp
http://192.168.1.54:8080/index.jsp%20
So how widespread is this?
Paul Sundling
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
do you have apache on the front end and are you only mapping *.jsp where
*.jsp%20 is not a match and apache would then serve the file as text?
Charlie
> -Original Message-
> From: John Turner [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 9:22 AM
> To: Tomcat Users List
> Subject: Re: security hole on windows tomcat?
>
>
>
> Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>
> John
>
> Paul Sundling("Webdaddy") wrote:
>
> > I came across what appears to be a security hole when
> running tomcat.
> > I'm not sure how widespread it is, but my linux server is
> safe, yet my
> > windows XP, tomcat 4.1.24 is vulnerable.
> >
> > I found that if you append %20 to a jsp page it shows the
> source code
> > instead of displaying the page:
> >
> > http://192.168.1.54:8080/index.jsp
> > http://192.168.1.54:8080/index.jsp%20 index.jsp>
> >
> > So how widespread is this?
> >
> > Paul Sundling
> >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security hole
What you are seeing is the AutoSetup component mounting contexts because it sees these directories and therefore creates the contexts. Your best bet is, probably, to go into server.xml and remove the AutoSetup configuration. This will disable the auto-mounting or WAR files, however, so this might not be your best answer if you are using WAR files. Randy > -Original Message- > From: Claus Jul Larsen [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 02, 2001 3:16 AM > To: Tomcat User (E-mail) > Subject: Security hole > > > Hi, > > I've a strangely problem: > > When I start the tomcat with the ./startup.sh > > Output: > > > > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( > dev.miraculix.dk: > ) > Starting tomcat. Check logs/tomcat.log for error messages > 2001-08-01 11:53:31 - ContextManager: Tomcat classpath = > /usr/local/jakarta-tomcat/lib/ant.jar:/usr/local/jakarta-tomca t/lib/jasper.j > ar:/usr/local/jakarta-tomcat/lib/jaxp.jar:/usr/local/jakarta-t omcat/lib/pars > er.jar:/usr/local/jakarta-tomcat/lib/servlet.jar:/usr/local/ja > karta-tomcat/l > ib/test:/usr/local/jakarta-tomcat/lib/webserver.jar:/usr/java/ > jdk1.3/lib/too > ls.jar:/usr/java/jdk1.3 > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /admin ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /examples ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /test ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /KEYS ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /LICENSE ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( > /RELEASE-NOTES ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /bin ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /conf ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /doc ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /lib ) > 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /src ) > 2001-08-01 11:53:31 - ContextManager: calc work dir > /usr/local/jakarta-tomcat/work > 2001-08-01 11:53:32 - PoolTcpConnector: Starting > HttpConnectionHandler on > 8080 > 2001-08-01 11:53:32 - PoolTcpConnector: Starting > Ajp12ConnectionHandler on > 8007 > > > > But i've only have context for dev.miraculix.dk and no more i > server.xml > > The context manager adds /admin /examples /test /KEYS > /LICENSE and more. > These contexts isn't in the Server.xml ... but is still run > them ???! I want > only dev.miraculix.dk on /web-staff/www.miraculix.dk and no > more This is > version 3.2.3... > > Thanx > > > > Med venlig hilsen > > Claus Jul Larsen > | System Developer > | [EMAIL PROTECTED] > | Direkte teksttelefon: 7731 2010, ring først til > | teksttelefoncenteret på 7011 4411 og bed om > | nummeret. > > e|novasion a·s > | store kongensgade 23a > | DK - 1264 københavn k > | tlf: +45 7731 1940 > | fax: +45 7731 1950 > | www.enovasion.dk > > > > Med venlig hilsen > > > > Claus Jul Larsen > > | System Developer > > | [EMAIL PROTECTED] > > | Direkte teksttelefon: 7731 2010, ring først til > > | teksttelefoncenteret på 7011 4411 og bed om > > | nummeret. > > > > e|novasion a·s > > | store kongensgade 23a > > | DK - 1264 københavn k > > | tlf: +45 7731 1940 > > | fax: +45 7731 1950 > > | www.enovasion.dk > > > > >
RE: Security hole
Just delete the WAR files you don't want plus the relativ directories from you webapps directory ;) -Message d'origine- De : Claus Jul Larsen [mailto:[EMAIL PROTECTED]] Envoyé : jeudi 2 août 2001 09:16 À : Tomcat User (E-mail) Objet : Security hole Hi, I've a strangely problem: When I start the tomcat with the ./startup.sh Output: 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( dev.miraculix.dk: ) Starting tomcat. Check logs/tomcat.log for error messages 2001-08-01 11:53:31 - ContextManager: Tomcat classpath = /usr/local/jakarta-tomcat/lib/ant.jar:/usr/local/jakarta-tomcat/lib/jasper.j ar:/usr/local/jakarta-tomcat/lib/jaxp.jar:/usr/local/jakarta-tomcat/lib/pars er.jar:/usr/local/jakarta-tomcat/lib/servlet.jar:/usr/local/jakarta-tomcat/l ib/test:/usr/local/jakarta-tomcat/lib/webserver.jar:/usr/java/jdk1.3/lib/too ls.jar:/usr/java/jdk1.3 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /admin ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /examples ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /test ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /KEYS ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /LICENSE ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /RELEASE-NOTES ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /bin ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /conf ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /doc ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /lib ) 2001-08-01 11:53:31 - ContextManager: Adding context Ctx( /src ) 2001-08-01 11:53:31 - ContextManager: calc work dir /usr/local/jakarta-tomcat/work 2001-08-01 11:53:32 - PoolTcpConnector: Starting HttpConnectionHandler on 8080 2001-08-01 11:53:32 - PoolTcpConnector: Starting Ajp12ConnectionHandler on 8007 But i've only have context for dev.miraculix.dk and no more i server.xml The context manager adds /admin /examples /test /KEYS /LICENSE and more. These contexts isn't in the Server.xml ... but is still run them ???! I want only dev.miraculix.dk on /web-staff/www.miraculix.dk and no more This is version 3.2.3... Thanx Med venlig hilsen Claus Jul Larsen | System Developer | [EMAIL PROTECTED] | Direkte teksttelefon: 7731 2010, ring først til | teksttelefoncenteret på 7011 4411 og bed om | nummeret. e|novasion a·s | store kongensgade 23a | DK - 1264 københavn k | tlf: +45 7731 1940 | fax: +45 7731 1950 | www.enovasion.dk > Med venlig hilsen > > Claus Jul Larsen > | System Developer > | [EMAIL PROTECTED] > | Direkte teksttelefon: 7731 2010, ring først til > | teksttelefoncenteret på 7011 4411 og bed om > | nummeret. > > e|novasion a·s > | store kongensgade 23a > | DK - 1264 københavn k > | tlf: +45 7731 1940 > | fax: +45 7731 1950 > | www.enovasion.dk > >
