I've verified that this workaround stops the problem on Win XP's 1.4.2 and on NetWare's 1.4.2
Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/12/03 7:08:50 PM >>> Sorry I've just realize this thread may be related to bugtraq #4895132 (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can someone try it and let me know if it change something. If this is not working, then point me to a very simple test case and I will file a new bugtraq bug. -- Jeanfrancois Eric J. Pinnell wrote: >I think at this point this might be a worthwile canidate for Sun's >bugparade. At least get it on their radars (if they don't know about it >already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. >When 1.4.2 was released 4.1.24 was the latest stable build. > >Regardless the JDK/appserver/whatever should never puke it's guts and spit >out the source code when it gets a request it doesn't know how to deal >with. Upon failure it should result in some kind of error. Sun might >care about this... > >-e > >On Tue, 12 Aug 2003, Jeff Tulley wrote: > > > >>It is highly possible that this is dependent on the JVM you have >>installed. I actually finally WAS able to see this on Windows XP, but >>only if Tomcat was running on JVM 1.4.2. The problem did NOT happen >>with 1.4.1. Of course, JVM version is the one item I left off of my >>"poll" in my email below. :) >> >>I'm trying to verify this on other OS's and track down what the actual >>problem is. >> >>But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. >> >>Jeff Tulley ([EMAIL PROTECTED]) >>(801)861-5322 >>Novell, Inc., The Leading Provider of Net Business Solutions >>http://www.novell.com >> >> >> >>>>>[EMAIL PROTECTED] 8/12/03 4:10:53 PM >>> >>>>> >>>>> >>Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via >>either port 8080 or port 80 - pages return fine without the %20 >>suffix, >>always return http 404 with the suffix. >> >>Murray >>-----Original Message----- >>From: Jeff Tulley [mailto:[EMAIL PROTECTED] >>Sent: Wednesday, 13 August 2003 02:41 >>To: [EMAIL PROTECTED] >>Subject: RE: security hole on windows tomcat? >> >> >>So this issue is confusing. It seems that indeed there IS an issue, >>though most cannot see a problem. >>Talking to some people off-list, it seems that some think it is a JK2 >>/ >>workers2.properties issue. But I'm pretty sure that others have seen >>this going directly to port 8080. >>We probably need to take a quick poll: >> >>If you have seen this security problem of being able to view JSP >>source, in what scenario(s)? >> >>Tomcat version >>OS version >>Directly to Tomcat ("8080") or through Apache - JK or JK2? >>(If you've seen the problem, please include your workers or >>workers2.properties file, with a .txt extension) >>Browser version(s) >>url's where this was seen or not seen >> >>If you have seen this in multiple scenarios, and not in others, please >>list each separately. >> >> >>I have NOT seen it in the following scenarios: >> >>Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 >>Windows 2000 5.00.2195 Service Pack 4 >>Directly to port 8080 >>Internet Explorer 6.0.2800.1106 with all security patches up to date >>I tried http://(url):8080/index.jsp%20 >> >>Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only >>adding one JNDIRealm beyond the default config) >>Novell NetWare 6.5 >>Directly to port 8080, and through Apache - mod_jk.nlm >>Internet Explorer 6.0.2800.1106 with all security patches up to date >>I tried http://(url):8080/index.jsp%20 and >>https://(url)/tomcat/admin/index.jsp%20 >> >> >>Hopefully this mail gets through; I haven't been seeing my emails show >>up on tomcat-user for some reason (I un/resubscribed today...) >> >>It would be really good to get to the bottom of this! >> >>Jeff Tulley ([EMAIL PROTECTED]) >>(801)861-5322 >>Novell, Inc., The Leading Provider of Net Business Solutions >>http://www.novell.com >> >> >> >>>>>[EMAIL PROTECTED] 8/12/03 6:02:55 AM >>> >>>>> >>>>> >>can you turn on debugging for the default servlet(conf/web.xml) and >>also >>turn on the requestdumpervalve(server.xml) and post the log. >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]