[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability;Apache Tomcat 4.0.6 released
A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was disclosed on 09/24/2002. The cause - Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. Who is vulnerable - - All Tomcat 4.0.x releases, except those in which the invoker servlet is disabled (this is not the default setting). - All Tomcat 4.1.x releases before 4.1.12, except those in which the invoker servlet is disabled (this is not the default setting), as well as 4.1.12 if and only if the invoker servlet has been enabled. The default Tomcat 4.1.12 installation is not vulnerable. Fixes and workarounds - Doing either of the following will resolve the security problem: A) Disabling the invoker servlet In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment: servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping B) If running any Tomcat 4.0.x releases, download and install the following binary patch: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip Simply unzip the archive in the $CATALINA_HOME folder (on Windows %CATALINA_HOME%). Make sure paths are preserved when unzipping. The patch will overwrite the default webapp configuration file ($CATALINA_HOME/conf/web.xml) to add a workaround to protect against the security vulnerability. C) If running Tomcat 4.1.12 and the invoker servlet was enabled, it must be disabled at this time. A new Tomcat 4.1.x release incorporating the fix to the invoker servlet will be made available shortly. D) If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6. New release --- The Apache Tomcat Team announces the immediate availability of a new release which includes a fix to the invoker servlet. Apache Tomcat 4.0.6: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/ Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Carrie Salazar wrote: I did see my JSP source whe I tried this bug (Tomcat 4.0.4/Apache 2.0.40). I just deleted my JKMount to servlet and mapped only the applications being used as mentioned in this group and now I can no longer see my JSP source with this method. I'll eventually move to Tomcat 4.0.5 but I wanted to apply some security immediately. Yes, you can remove the sevlet invoker mapping as I noted in the email on the security issue or on the Jakarta website news post. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Questions about [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Maybe I don't understand, but DefaultServlet, which is supposed to serve static content is disabled... How are we supposed to serve up pictures, etc that are static?? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Questions about [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
The DefaultServlet is ok. But is was being called by the invoker servlet in a roundabout (unintended manner). The invoker servlet is typically mapped to /servlet/* The invoker servlet should be disabled. Or restricted using many of the ways described in other threads. You should be fine allowing the DefaultServlet to work. Adam Greene wrote: Maybe I don't understand, but DefaultServlet, which is supposed to serve static content is disabled... How are we supposed to serve up pictures, etc that are static?? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Questions about [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
The servlet to be disabled is the invoker servlet, not the DefaultServlet. The reason you see DefaultServlet so much in these postings is that the DefaultServlet can be tricked into serving the sources of your jsp's by invoking it over the invoker servlet, thereby treating jsp's like static content. But the trouble is originating in the invoker servlet. Andreas Mohrig -Original Message- From: Adam Greene [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:47 PM To: Tomcat Users List Subject: Questions about [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability Maybe I don't understand, but DefaultServlet, which is supposed to serve static content is disabled... How are we supposed to serve up pictures, etc that are static?? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Questions about [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
On Thu, 26 Sep 2002, Andreas Mohrig wrote: The servlet to be disabled is the invoker servlet, not the DefaultServlet. The reason you see DefaultServlet so much in these postings is that the DefaultServlet can be tricked into serving the sources of your jsp's by invoking it over the invoker servlet, thereby treating jsp's like static content. But the trouble is originating in the invoker servlet. Right. And to add a bit of perhaps clarifying information, invoking in this context means calling a servlet using a URL of the form: http://www.domain.com/context/servlet/full.class.name.of.servlet that is, /servlet is a virtual directory that invokes the invoker servlet, and full.class.name.of.servlet includes the package and class name of the servlet class. This was the main/only way of calling servlets way back when, but now the favored way is to define servlets in web.xml. And some say this invoking method of calling servlets should be disabled as a security precaution anyway, and only defined servlets should be allowed (i.e., even before this bug showed up). This is all controlled by a servlet definition and mapping in the web.xml (in Tomcat 4.0.X, at least, and I assume 4.1.X as well) -- look for invoker in it. -Original Message- From: Adam Greene [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:47 PM To: Tomcat Users List Subject: Questions about [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability Maybe I don't understand, but DefaultServlet, which is supposed to serve static content is disabled... How are we supposed to serve up pictures, etc that are static?? Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
The servlets are not vulnerable since their code is under WEB-INF and is successfully protected from downloads. All other interpreted application stuff, outside of WEB-INF, like JSP are vulnerable since they can be downloaded as regular files but not be processed by the corresponding engine. That's why I believe Velocity should suffer from this bug in the same way JSP is. I didn't test Velocity but there is not any reason that it will be resistant to this exposure. Regards, Rossen Raykov -Original Message- From: Kent Perrier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 6:59 PM To: Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: OK, thanks. (The BugTraq search engine wasn't working when I checked there.) So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. It sounds to me like it should be. From the bugtraq post, all servlets and JSPs that run in a Tomcat instance are vulnerable. Since Velocity runs under Tomcat, logically, it is vulnerable. All other claims are illogical. Kent -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerabili ty
Anyway, using scriptlets (JSP) is a bad pratice... good code uses only taglibs. On Wed, 2002-09-25 at 10:57, Rossen Raykov wrote: The servlets are not vulnerable since their code is under WEB-INF and is successfully protected from downloads. All other interpreted application stuff, outside of WEB-INF, like JSP are vulnerable since they can be downloaded as regular files but not be processed by the corresponding engine. That's why I believe Velocity should suffer from this bug in the same way JSP is. I didn't test Velocity but there is not any reason that it will be resistant to this exposure. Regards, Rossen Raykov -Original Message- From: Kent Perrier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 6:59 PM To: Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: OK, thanks. (The BugTraq search engine wasn't working when I checked there.) So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. It sounds to me like it should be. From the bugtraq post, all servlets and JSPs that run in a Tomcat instance are vulnerable. Since Velocity runs under Tomcat, logically, it is vulnerable. All other claims are illogical. Kent -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Felipe Schnack Analista de Sistemas [EMAIL PROTECTED] Cel.: (51)91287530 Linux Counter #281893 Faculdade Ritter dos Reis www.ritterdosreis.br [EMAIL PROTECTED] Fone/Fax.: (51)32303328 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
Hi. I've just confirmed that Velocity (at least in Turbine v2.1) suffers from this problem. Regards, Dan On Wed, 25 Sep 2002, Rossen Raykov wrote: The servlets are not vulnerable since their code is under WEB-INF and is successfully protected from downloads. All other interpreted application stuff, outside of WEB-INF, like JSP are vulnerable since they can be downloaded as regular files but not be processed by the corresponding engine. That's why I believe Velocity should suffer from this bug in the same way JSP is. I didn't test Velocity but there is not any reason that it will be resistant to this exposure. Regards, Rossen Raykov -Original Message- From: Kent Perrier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 6:59 PM To: Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: OK, thanks. (The BugTraq search engine wasn't working when I checked there.) So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. It sounds to me like it should be. From the bugtraq post, all servlets and JSPs that run in a Tomcat instance are vulnerable. Since Velocity runs under Tomcat, logically, it is vulnerable. All other claims are illogical. Kent -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerabili ty
please let me know if you are still experiencing this. It looks correct to me right now. Thanks, Rob Reed Isomedia.com On Wed, 2002-09-25 at 14:28, Dan K. wrote: Hi. I've just confirmed that Velocity (at least in Turbine v2.1) suffers from this problem. Regards, Dan On Wed, 25 Sep 2002, Rossen Raykov wrote: The servlets are not vulnerable since their code is under WEB-INF and is successfully protected from downloads. All other interpreted application stuff, outside of WEB-INF, like JSP are vulnerable since they can be downloaded as regular files but not be processed by the corresponding engine. That's why I believe Velocity should suffer from this bug in the same way JSP is. I didn't test Velocity but there is not any reason that it will be resistant to this exposure. Regards, Rossen Raykov -Original Message- From: Kent Perrier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 6:59 PM To: Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: OK, thanks. (The BugTraq search engine wasn't working when I checked there.) So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. It sounds to me like it should be. From the bugtraq post, all servlets and JSPs that run in a Tomcat instance are vulnerable. Since Velocity runs under Tomcat, logically, it is vulnerable. All other claims are illogical. Kent -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
I'm referring to Tomcat v4.0.4 with Turbine v2.1 on both Windows XP and Linux platforms, and yes it does suffer from the vulnerability. I've not tried the fixed versions 4.0.5 or 4.1.12 yet. Regards, Dan On 25 Sep 2002, Rob Reed wrote: please let me know if you are still experiencing this. It looks correct to me right now. Thanks, Rob Reed Isomedia.com On Wed, 2002-09-25 at 14:28, Dan K. wrote: Hi. I've just confirmed that Velocity (at least in Turbine v2.1) suffers from this problem. Regards, Dan On Wed, 25 Sep 2002, Rossen Raykov wrote: The servlets are not vulnerable since their code is under WEB-INF and is successfully protected from downloads. All other interpreted application stuff, outside of WEB-INF, like JSP are vulnerable since they can be downloaded as regular files but not be processed by the corresponding engine. That's why I believe Velocity should suffer from this bug in the same way JSP is. I didn't test Velocity but there is not any reason that it will be resistant to this exposure. Regards, Rossen Raykov -Original Message- From: Kent Perrier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 6:59 PM To: Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: OK, thanks. (The BugTraq search engine wasn't working when I checked there.) So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. It sounds to me like it should be. From the bugtraq post, all servlets and JSPs that run in a Tomcat instance are vulnerable. Since Velocity runs under Tomcat, logically, it is vulnerable. All other claims are illogical. Kent -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
I tried to test this security vulnerability on my tomcat 4.0.4 (alone) setup but wasn't able to view my JSP files as claimed. According to http://online.securityfocus.com/archive/1/292936/2002-09-21/2002-09-27/0, if my JSP file is accessible via http://donor.ucsd.edu:7873/ccdb/experiment/index.jsp then I should be able to view my source. However, I tried 2 different URL (http://donor.ucsd.edu:7873/ccdb/experiment/org.apache.catalina.servlets.Default Servlet/index.jsp and http://donor.ucsd.edu:7873/org.apache.catalina.servlets.DefaultServlet/ccdb/expe riment/index.jsp) and all I got was a tomcat 404 error page. Has anyone actually been able to view their JSP source via this vulnerability? Mona == Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ The truth shall set you free, but first it will piss you off A Landmark instructor == -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
The URL would be: http://donor.ucsd.edu:7873/ccdb/servlet/org.apache.catalina.servlets.De faultServlet/experiment/index.jsp And yes you are vulnerable ;-) Broken down: /ccdb - the context path of your webapp /servlet - the path mapped to the invoker servlet **this is the dangerous part** /org.apache.catalina.servlets.DefaultServlet - used by the invoker servlet to determine what servlet class to invoke /experiment/index.jsp - the context relative path to your JSP, served statically by the DefaultServlet -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 -Original Message- From: Mona Wong-Barnum [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 6:16 PM To: [EMAIL PROTECTED] Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability I tried to test this security vulnerability on my tomcat 4.0.4 (alone) setup but wasn't able to view my JSP files as claimed. According to http://online.securityfocus.com/archive/1/292936/2002-09-21/20 02-09-27/0, if my JSP file is accessible via http://donor.ucsd.edu:7873/ccdb/experiment/index.jsp then I should be able to view my source. However, I tried 2 different URL (http://donor.ucsd.edu:7873/ccdb/experiment/org.apache.catalina.servlets .Default Servlet/index.jsp and http://donor.ucsd.edu:7873/org.apache.catalina.servlets.DefaultServlet/c cdb/expe riment/index.jsp) and all I got was a tomcat 404 error page. Has anyone actually been able to view their JSP source via this vulnerability? Mona -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
I did see my JSP source whe I tried this bug (Tomcat 4.0.4/Apache 2.0.40). I just deleted my JKMount to servlet and mapped only the applications being used as mentioned in this group and now I can no longer see my JSP source with this method. I'll eventually move to Tomcat 4.0.5 but I wanted to apply some security immediately. -- carrie s. On Wed, Sep 25, 2002 at 03:15:31PM -0700, Mona Wong-Barnum wrote: I tried to test this security vulnerability on my tomcat 4.0.4 (alone) setup but wasn't able to view my JSP files as claimed. According to http://online.securityfocus.com/archive/1/292936/2002-09-21/2002-09-27/0, if my JSP file is accessible via http://donor.ucsd.edu:7873/ccdb/experiment/index.jsp then I should be able to view my source. However, I tried 2 different URL (http://donor.ucsd.edu:7873/ccdb/experiment/org.apache.catalina.servlets.Default Servlet/index.jsp and http://donor.ucsd.edu:7873/org.apache.catalina.servlets.DefaultServlet/ccdb/expe riment/index.jsp) and all I got was a tomcat 404 error page. Has anyone actually been able to view their JSP source via this vulnerability? Mona == Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ The truth shall set you free, but first it will piss you off A Landmark instructor == -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. The cause - Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. This particular configuration is available in the default Tomcat configuration. Workarounds --- An easy workaround exists for existing Tomcat installations, by disabling the invoker servlet in the default webapp configuration. In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment: servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping Releases The Apache Tomcat Team announces the immediate availability of new releases which include a fix to the invoker servlet. Apache Tomcat 4.1.12 Stable: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/ Apache Tomcat 4.0.5: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/ Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Do us, or rather me, a favor, and take your arrogant, l33t rant somewhere else. Believe me, I'm already awake. John -Original Message- From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 5:26 PM To: tomcat-dev; Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. Once again...JSP sucks and Velocity is the right way to go...you will never have to worry about your container spilling your beans (pun intended). Given that Tomcat gets around 100k+ downloads/week...imagine how many servers now need to be updated and how much money and time that will cost to do so? http://jakarta.apache.org/velocity/ Wake up people. Velocity is faster and more secure than JSP will ever be. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
I'm having a hard time finding many specifics about this exploit. It sounds like you're forcing the default servlet to serve up the source page as static content. Why isn't Velocity vulnerable in the same way? I'll buy that Velocity is faster than JSP, and certainly can be more concise and readable. I haven't seen much about security. What makes it more secure than JSP? -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 -Original Message- From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 5:26 PM To: tomcat-dev; Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. Once again...JSP sucks and Velocity is the right way to go...you will never have to worry about your container spilling your beans (pun intended). Given that Tomcat gets around 100k+ downloads/week...imagine how many servers now need to be updated and how much money and time that will cost to do so? http://jakarta.apache.org/velocity/ Wake up people. Velocity is faster and more secure than JSP will ever be. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
The problem is not connected directly to the JSPs or the jsp engine. It's the default servlet that has the problem. I didn't test it but I believe using this vulnerability one can get Velocity also. What he will find inside - depends only on the programmers/designers in both cases. Regards, Rossen -Original Message- From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 5:26 PM To: tomcat-dev; Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. Once again...JSP sucks and Velocity is the right way to go...you will never have to worry about your container spilling your beans (pun intended). Given that Tomcat gets around 100k+ downloads/week...imagine how many servers now need to be updated and how much money and time that will cost to do so? http://jakarta.apache.org/velocity/ Wake up people. Velocity is faster and more secure than JSP will ever be. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. Once again...JSP sucks and Velocity is the right way to go...you will never have to worry about your container spilling your beans (pun intended). Given that Tomcat gets around 100k+ downloads/week...imagine how many servers now need to be updated and how much money and time that will cost to do so? http://jakarta.apache.org/velocity/ Wake up people. Velocity is faster and more secure than JSP will ever be. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
See the original posting on BugTrag for more details http://online.securityfocus.com/archive/1/292936/2002-09-21/2002-09-27/0 Regards, Rossen Raykov -Original Message- From: Tim Moore [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 5:34 PM To: Tomcat Users List Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability I'm having a hard time finding many specifics about this exploit. It sounds like you're forcing the default servlet to serve up the source page as static content. Why isn't Velocity vulnerable in the same way? I'll buy that Velocity is faster than JSP, and certainly can be more concise and readable. I haven't seen much about security. What makes it more secure than JSP? -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 -Original Message- From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 5:26 PM To: tomcat-dev; Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. Once again...JSP sucks and Velocity is the right way to go...you will never have to worry about your container spilling your beans (pun intended). Given that Tomcat gets around 100k+ downloads/week...imagine how many servers now need to be updated and how much money and time that will cost to do so? http://jakarta.apache.org/velocity/ Wake up people. Velocity is faster and more secure than JSP will ever be. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
OK, thanks. (The BugTraq search engine wasn't working when I checked there.) So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 -Original Message- From: Rossen Raykov [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 6:17 PM To: 'Tomcat Users List' Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability See the original posting on BugTrag for more details http://online.securityfocus.com/archive/1/292936/2002-09-21/20 02-09-27/0 Regards, Rossen Raykov -Original Message- From: Tim Moore [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 5:34 PM To: Tomcat Users List Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability I'm having a hard time finding many specifics about this exploit. It sounds like you're forcing the default servlet to serve up the source page as static content. Why isn't Velocity vulnerable in the same way? I'll buy that Velocity is faster than JSP, and certainly can be more concise and readable. I haven't seen much about security. What makes it more secure than JSP? -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 -Original Message- From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 5:26 PM To: tomcat-dev; Tomcat Users List Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. Once again...JSP sucks and Velocity is the right way to go...you will never have to worry about your container spilling your beans (pun intended). Given that Tomcat gets around 100k+ downloads/week...imagine how many servers now need to be updated and how much money and time that will cost to do so? http://jakarta.apache.org/velocity/ Wake up people. Velocity is faster and more secure than JSP will ever be. -jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote: OK, thanks. (The BugTraq search engine wasn't working when I checked there.) So it sounds pretty much like what I thought it was. I still don't understand why Velocity wouldn't be vulnerable to this exploit. It sounds to me like it should be. From the bugtraq post, all servlets and JSPs that run in a Tomcat instance are vulnerable. Since Velocity runs under Tomcat, logically, it is vulnerable. All other claims are illogical. Kent -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat 4 with JSP
So, nobody here knows how to use Apache + Tomcat 4 with JSP? Is it even possible? Like everyone knows, JSP files should be stored on the Apache server along with all other static content. I haven't been able to figure out how to convince Apache to cooperate with Tomcat 4 for execution of JSP files. I have no problems with normal servlets, which are served from SPECIAL directores and can be easily defined in httpd.conf by: WebApp Deplayservlet conn /servlet/ Kind regards, Adam: Kurzawa
Re: Tomcat 4 with JSP
here is relevant httpd.conf. WebAppConnection conn warp localhost:8009 NameVirtualHost 193.133.123.162 VirtualHost 193.133.123.162 ServerName pan.web.roadrunner.uk.com DocumentRoot /usr/local/apache/pan.web.roadrunner.uk.com/htdocs WebAppDeploy ct conn /ct/ WebAppDeploy b2b conn /b2b/ WebAppDeploy logon conn /logon/ WebAppDeploy wh conn /wh/ WebAppDeploy edi conn /edi/ /VirtualHost here is relevent server.xml Host name=pan.web.roadrunner.uk.com debug=1 appBase=webapps Context path= docBase=ROOT debug=0/ Context path=/ct docBase=ct debug=1 crossContext=true reloadabl e=true /Context Context path=/b2b docBase=b2b debug=1 crossContext=true reloada ble=true /Context Context path=/logon docBase=logon debug=1 crossContext=true rel oadable=true /Context Context path=/wh docBase=wh debug=1 crossContext=true reloadabl e=true /Context /Host /Engine /Service /Server I have five seperate contexts, I then place my jsp pages in TOMCAT_HOME/webapps/ct/*.jsp for example then the page pan.web.roadrunner.uk.com/ct/*.jsp will retreive the jsp page. - Original Message - From: Adam: Kurzawa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 27, 2001 8:11 AM Subject: Tomcat 4 with JSP So, nobody here knows how to use Apache + Tomcat 4 with JSP? Is it even possible? Like everyone knows, JSP files should be stored on the Apache server along with all other static content. I haven't been able to figure out how to convince Apache to cooperate with Tomcat 4 for execution of JSP files. I have no problems with normal servlets, which are served from SPECIAL directores and can be easily defined in httpd.conf by: WebApp Deplayservlet conn /servlet/ Kind regards, Adam: Kurzawa
tomcat 4 and JSP compile problem
I am running FreeBSD4.2, tomcat 4.0-b1, linux-jdk1.3.0 Can you help me fix this: When I try to run the JSP examples on Tomcat 4, I get the following error: ___ A Servlet Exception Has Occurred org.apache.jasper.JasperException: Unable to compile class for JSPtomcat/bin/../work/localhost/examples/_0002fjsp_0002fnum_0002fnumguess_00 02ejspnumguess_jsp_0.java:153: Incompatible type for method. Explicit cast needed to convert java.lang.Throwable to java.lang.Exception. if (pageContext != null) pageContext.handlePageException(t); ^ 1 error at org.apache.jasper.compiler.Compiler.compile(Compiler.java:294) at org.apache.jasper.servlet.JspServlet.doLoadJSP(JspServlet.java:478) at org.apache.jasper.servlet.JasperLoader12.loadJSP(JasperLoader12.java:146) at org.apache.jasper.servlet.JspServlet.loadJSP(JspServlet.java:449) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadIfNecessary(JspSe rvlet.java:159) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.ja va:171) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:328) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:215) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:251) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:977) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:196) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:464) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 42) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:975) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2041) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161 ) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:414) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:975) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :159) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:977) at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java: 818) at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:897) at java.lang.Thread.run(Thread.java:484) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: tomcat 4 and JSP compile problem
Michael Dewhirst wrote: I am running FreeBSD4.2, tomcat 4.0-b1, linux-jdk1.3.0 Most likely explanation is an old copy of servlet.jar on your class path, or in your Java system extensions directory ($JAVA_HOME/jre/lib/ext). The handlePageException() method was updated relatively recently. Can you help me fix this: Craig McClanahan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]