Re: security hole on windows/ Tomcat with JRE 1.4.2 (b28)
Search the archives - I think this a JDK 1.4.2 related bug. -Tim Asaf Barkan wrote: The syndrome is that when typing: http://myurl:8080/myfile.jsp%20 http://myurl:8080/myfile.jsp%20 The JSP code is delivered to the client. I have checked this on the followed platforms: Win2k server (SP3) JRE 1.4.2 (b28) IIS 5/Tomcat HTTP 1.1 connector It works but it is not consistent (could be some race case). BTW I have tried this on 1.4.2 (b2) and I could not compromise this hole. I have encountered a discussion on a similar issue with a recommendation to add the following argument to the Tomcat string: -Dsun.io.useCanonCaches=false I have tried this and it solved the problem. Can some tell me whether there are other solutions and what this parameter means ? Thanks a lot This email has been scanned for all viruses. Mercury Interactive Corporation Optimizing Business Processes to Maximize Business Results http://www.merc-int.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 6:02:55 AM can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Red Hat Linux. I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30 minutes ago, .exe install, installed as service). http://localhost/john/test.jsp%20 = 404 John Paul Sundling wrote: which operating system? Paul John Turner wrote: Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
I just saw this with 4.1.24 on win2k as well. EXTREMELY disturbing! -Original Message- From: Mikko Hämäläinen [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:18 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Hi, I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that with Tomcat 4.0.1 on Redhat and it was ok too.. - Original Message - From: Paul Sundling(Webdaddy) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 10, 2003 7:00 AM Subject: security hole on windows tomcat? I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
yep, you're correct that the JDK was important in solving this. In case you didn't get the message below, the guys tracked it down to being a problem in JDK 1.4.2 . I'll remember to include that information next time. Paul Sundling Ralph Einfeldt wrote: I think you should also include the JDK (vendor and version). It's not impossible that this might be a JDK problem. -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 6:41 PM To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Yes, adding -Dsun.io.useCanonCaches=false to the tomcat seemed to fix the security hole I discovered on my 4.1.24 tomcat on Windows XP using JDK 1.4.2. Great job finding a solution. It's a testament to open source and cooperation. Fortunately it's JSP source it's showing and people should have anything worth seeing in their servlets or EJBs anyway. Paul Sundling Jeff Tulley wrote: I just wanted to make sure you saw this -- Jeanfrancois made the connection that this issue has a known workaround, so you don't have to backrev your JVM if you don't want to. I tried this on Windows XP and NetWare and it worked in both places... Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 7:08:50 PM Sorry I've just realize this thread may be related to bugtraq #4895132 (thanks to Jeff for the wake up mail on tomcat-dev ). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can someone try it and let me know if it change something. If this is not working, then point me to a very simple test case and I will file a new bugtraq bug. -- Jeanfrancois Eric J. Pinnell wrote: I think at this point this might be a worthwile canidate for Sun's bugparade. At least get it on their radars (if they don't know about it already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. When 1.4.2 was released 4.1.24 was the latest stable build. Regardless the JDK/appserver/whatever should never puke it's guts and spit out the source code when it gets a request it doesn't know how to deal with. Upon failure it should result in some kind of error. Sun might care about this... -e On Tue, 12 Aug 2003, Jeff Tulley wrote: It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my poll in my email below. I'm trying to verify this on other OS's and track down what the actual problem is. But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 4:10:53 PM Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp
RE: security hole on windows tomcat?
It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my poll in my email below. :) I'm trying to verify this on other OS's and track down what the actual problem is. But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 4:10:53 PM Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 6:02:55 AM can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Interesting. WinXP Tomcat 4.1.24 http://localhost:8080/examples/jsp/num/numguess.jsp%20 I get the source. -e On Mon, 11 Aug 2003, John Turner wrote: Let's see the Tomcat-only link. John Angus Mezick wrote: Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
I think you should also include the JDK (vendor and version). It's not impossible that this might be a JDK problem. -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 6:41 PM To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Howdy, Same here, tomcat 4.1.27 on win2k pro, installed from the zip file not as a service, and started via startup.bat, no problems. Yoav Shapira Millennium ChemInformatics -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:02 PM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Red Hat Linux. I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30 minutes ago, .exe install, installed as service). http://localhost/john/test.jsp%20 = 404 John Paul Sundling wrote: which operating system? Paul John Turner wrote: Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Howdy, You are making sure to clean your browser's cache between each test, right? Yoav Shapira Millennium ChemInformatics -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:56 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? ARGH! This has gone to just being an apache problem. Tomcat seems to have self corrected. I am very confused but will keep looking. Apache still does it though. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:40 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml and post the log. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:39 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Nope, but this mime mapping exists. mime-mapping extensionjspf/extension mime-typetext/plain/mime-type /mime-mapping -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: security hole on windows tomcat?
What about your 4.1.2X URLS? Like the current release. I have the latest apache serving to 4.1.27 and I CAN see the jsp code! -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Nope, but this mime mapping exists. mime-mapping extensionjspf/extension mime-typetext/plain/mime-type /mime-mapping -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Sorry I've just realize this thread may be related to bugtraq #4895132 (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can someone try it and let me know if it change something. If this is not working, then point me to a very simple test case and I will file a new bugtraq bug. -- Jeanfrancois Eric J. Pinnell wrote: I think at this point this might be a worthwile canidate for Sun's bugparade. At least get it on their radars (if they don't know about it already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. When 1.4.2 was released 4.1.24 was the latest stable build. Regardless the JDK/appserver/whatever should never puke it's guts and spit out the source code when it gets a request it doesn't know how to deal with. Upon failure it should result in some kind of error. Sun might care about this... -e On Tue, 12 Aug 2003, Jeff Tulley wrote: It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my poll in my email below. :) I'm trying to verify this on other OS's and track down what the actual problem is. But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 4:10:53 PM Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 6:02:55 AM can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
http://localhost:8080/examples/jsp/num/numguess.jsp%20 = 404 Win 2K Pro Tomcat 4.1.27 John Eric J. Pinnell wrote: Interesting. WinXP Tomcat 4.1.24 http://localhost:8080/examples/jsp/num/numguess.jsp%20 I get the source. -e On Mon, 11 Aug 2003, John Turner wrote: Let's see the Tomcat-only link. John Angus Mezick wrote: Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Mr. Sundling: i'm running tomcat 4.1.27 and that does not appear to be an issue. I used http://localhost:8080/jweb/left.jsp%20; as my url. -Original Message- From: Spam Email [mailto:[EMAIL PROTECTED] Sent: Sunday, August 10, 2003 4:18 PM To: [EMAIL PROTECTED] Subject: security hole on windows tomcat? I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
It's a default tomcat 4.1.24 install on windows XP with no apache. You'll note I used port 8080 in my sample, so I'm going directly to tomcat. I went through the web.xml and there is a mapping for *.jsp and there is no space. Even if there were, there's no space in the file itself. So be sure to mention operating system. I was only able to recreate it on windows, not on linux. Paul Sundling Cox, Charlie wrote: do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Hi, I use Tomcat 4.1.18 on win2k and it seems to be safe, I also tested that with Tomcat 4.0.1 on Redhat and it was ok too.. - Original Message - From: Paul Sundling(Webdaddy) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 10, 2003 7:00 AM Subject: security hole on windows tomcat? I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 6:02:55 AM can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
I've verified that this workaround stops the problem on Win XP's 1.4.2 and on NetWare's 1.4.2 Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 7:08:50 PM Sorry I've just realize this thread may be related to bugtraq #4895132 (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can someone try it and let me know if it change something. If this is not working, then point me to a very simple test case and I will file a new bugtraq bug. -- Jeanfrancois Eric J. Pinnell wrote: I think at this point this might be a worthwile canidate for Sun's bugparade. At least get it on their radars (if they don't know about it already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. When 1.4.2 was released 4.1.24 was the latest stable build. Regardless the JDK/appserver/whatever should never puke it's guts and spit out the source code when it gets a request it doesn't know how to deal with. Upon failure it should result in some kind of error. Sun might care about this... -e On Tue, 12 Aug 2003, Jeff Tulley wrote: It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my poll in my email below. :) I'm trying to verify this on other OS's and track down what the actual problem is. But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 4:10:53 PM Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 6:02:55 AM can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL
Re: security hole on windows tomcat?
which operating system? Paul John Turner wrote: Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
I think at this point this might be a worthwile canidate for Sun's bugparade. At least get it on their radars (if they don't know about it already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. When 1.4.2 was released 4.1.24 was the latest stable build. Regardless the JDK/appserver/whatever should never puke it's guts and spit out the source code when it gets a request it doesn't know how to deal with. Upon failure it should result in some kind of error. Sun might care about this... -e On Tue, 12 Aug 2003, Jeff Tulley wrote: It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my poll in my email below. :) I'm trying to verify this on other OS's and track down what the actual problem is. But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 4:10:53 PM Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 6:02:55 AM can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
fwiw, windows server 2003 standard edition j2sdk 1.4.2 jakarta-tomcat-4.1.27-LE-jdk14 zip (not exe) http://localhost:8080/examples/jsp/num/numguess.jsp%20 problem appeared in opera 7.11 viewed page in ie 6 and got 404 subsequently got 404 in opera flicked around other samples in opera and saw similar behaviour went back to numguess and code was back again, despite hitting refresh! [e.g. http://localhost:8080/examples/jsp/xml/xml.jsp%20 String getDateTimeStr(Locale l) { DateFormat df = SimpleDateFormat.getDateTimeInstance(DateFormat.MEDIUM, DateFormat.MEDIUM, l); return df.format(new Date()); } Example JSP in XML format This is the output of a simple JSP using XML format. Use a jsp:scriptlet to loop from 1 to 10: // Note we need to declare CDATA because we don't escape the less than symbol for (int i = 1; i=10; i++) { out.println(i); if (i 10) { out.println(, ); } } brbr Use a jsp:expression to write the date and time in the browser's locale: getDateTimeStr(request.getLocale()) This sentence is enclosed in a jsp:text element. which subsequently became a 404] so, for me, the browser appeared to have something to do with it - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Yup. WinXP Tomcat 4.1.27 http://localhost:8080/examples/jsp/num/numguess.jsp%20 = 404 it's interesting on 4.1.24. I have been goofing around with the examples and sometimes I get source and on others I just get freaky output. For example snoop.jsp doesn't show any source but just blank header info. -e On Mon, 11 Aug 2003, John Turner wrote: http://localhost:8080/examples/jsp/num/numguess.jsp%20 = 404 Win 2K Pro Tomcat 4.1.27 John Eric J. Pinnell wrote: Interesting. WinXP Tomcat 4.1.24 http://localhost:8080/examples/jsp/num/numguess.jsp%20 I get the source. -e On Mon, 11 Aug 2003, John Turner wrote: Let's see the Tomcat-only link. John Angus Mezick wrote: Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
ARGH! This has gone to just being an apache problem. Tomcat seems to have self corrected. I am very confused but will keep looking. Apache still does it though. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:40 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml and post the log. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:39 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Nope, but this mime mapping exists. mime-mapping extensionjspf/extension mime-typetext/plain/mime-type /mime-mapping -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: security hole on windows tomcat?
sorry, I overlooked where you mentioned it was the default install. please post a link Charlie -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Can't replicate your problem, tried both linux and win2k Version of tomcat is the same as yours. Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
can you turn on debugging for the default servlet(conf/web.xml) and also turn on the requestdumpervalve(server.xml) and post the log. -Original Message- From: Paul Sundling [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:43 PM To: Tomcat Users List Subject: Re: security hole on windows tomcat? I never changed the mime-mapping when I installed it. I run tomcat manually or as a manual service. When I tried running tomcat as an automatic service, it had trouble. The only changes I made were in configs specific to webapps. The problem is present on the unmodified examples webapp. The only two jars I added in the SDK were the JDBC drivers for postrgres and mysql. Paul Sundling Cox, Charlie wrote: did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: security hole on windows tomcat?
can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml and post the log. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:39 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Nope, but this mime mapping exists. mime-mapping extensionjspf/extension mime-typetext/plain/mime-type /mime-mapping -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: security hole on windows tomcat?
I never changed the mime-mapping when I installed it. I run tomcat manually or as a manual service. When I tried running tomcat as an automatic service, it had trouble. The only changes I made were in configs specific to webapps. The problem is present on the unmodified examples webapp. The only two jars I added in the SDK were the JDBC drivers for postrgres and mysql. Paul Sundling Cox, Charlie wrote: did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
Let's see the Tomcat-only link. John Angus Mezick wrote: Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
sorry, that should be http://localhost:8080/john/test.jsp%20 = 404 No Apache is involved. John John Turner wrote: Red Hat Linux. I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30 minutes ago, .exe install, installed as service). http://localhost/john/test.jsp%20 = 404 John Paul Sundling wrote: which operating system? Paul John Turner wrote: Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
http://localhost/examples/jsp/num/numguess.jsp%20 = 404 (my tomcat is running on port 80) --- Fabio Moraes [EMAIL PROTECTED] System Engineer Work Force Management System +55 21 3088 9548 -Original Message- From: Eric J. Pinnell [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 13:28 To: Tomcat Users List Subject: Re: security hole on windows tomcat? Interesting. WinXP Tomcat 4.1.24 http://localhost:8080/examples/jsp/num/numguess.jsp%20 I get the source. -e On Mon, 11 Aug 2003, John Turner wrote: Let's see the Tomcat-only link. John Angus Mezick wrote: Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security hole on windows tomcat?
you can also turn on the AccessLogValve in server.xml to show if the request gets to tomcat from apache and to see what it looks like. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:56 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? ARGH! This has gone to just being an apache problem. Tomcat seems to have self corrected. I am very confused but will keep looking. Apache still does it though. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:40 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml and post the log. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:39 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Nope, but this mime mapping exists. mime-mapping extensionjspf/extension mime-typetext/plain/mime-type /mime-mapping -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED
Re: security hole on windows tomcat?
I also cannot see this on Windows 2000, or on NetWare, using Tomcat 4.1.18, 4.1.24, or 4.1.26. On NetWare I tried going through Apache and through 8080, on Windows port 8080. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/11/03 10:01:47 AM Red Hat Linux. I just tried this on Windows 2000 Pro, Tomcat 4.1.27 (downloaded 30 minutes ago, .exe install, installed as service). http://localhost/john/test.jsp%20 = 404 John Paul Sundling wrote: which operating system? Paul John Turner wrote: Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]