Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to a security bug that allows browsers to see JSP source code when putting the name of the default servlet in the URL.
- Posted by: Neven Cvetkovic
- Posted on: September 27 2002 10:41 EDT
Let say you have valid URL like:
Then, if you use the following URL:
You will see the source code of the JSP page.
The full syntaxes of the exposure URL is:
For example to see the JSP source of Tomcat 4.1.10 admin application http://localhost:8080/admin/index.jsp
Upgrade to the last releases 4.0.5 and 4.1.12
See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases.
More details at:
- Tomcat 4.0.4 and 4.1.0 Security Advisories by Chris Richard on September 27 2002 16:17 EDT
- Tomcat 4.0.4 and 4.1.0 Security Advisories by Web Master on September 27 2002 22:08 EDT
- Tomcat 4.0.4 and 4.1.0 Security Advisories by Adel Alrashidi on September 28 2002 02:06 EDT
- Tomcat 4.0.4 and 4.1.0 Security Advisories by vincent hsu on September 30 2002 18:12 EDT
- Tomcat 4.0.4 and 4.1.0 Security Advisories by jason william on October 01 2002 02:28 EDT
- Tomcat 4.0.4 and 4.1.0 Security Advisories by no name on October 01 2002 11:53 EDT
I dont think this problem exists in 3.2.x version?
tried it on my setup but its not working. maybe this is for some setup only.
(tried it on my setup but its not working. maybe this is
for some setup only)
Maybe you forgot the 'servlet/' part in your URL?
Notice the difference in the original message:
thank you man! it works, I can see the soures code. this is really bad if someone is putting his/her database's username and password. but for me, my jsp soures code has nothing for that, I only use jsp to view the site and all the goodies is on my Servlets. ;-)
anyway, thank you for the "Security Advisories"
Did you tried to check http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServlet/WEB-INF/classes/com.your.bean.class yet? :)
I don't see anything, I got the following message:
Apache Tomcat/4.0.1 - HTTP Status 404 - /WEB-INF/com.XXXX.UserBean.class
type Status report
description The requested resource (/WEB-INF/com.XXXX.UserBean.class) is not available.
It works on the JBoss-2.4.6_Tomcat-4.0.3 which I use now.
i suppose it depands upon what browser clients use, for nothing happens when the browser i start up is ie5.x, but in mozilla1.0 i can see the source code.
sorry, it's wrong. the condition, ie5.x, should be worse. only click the button of 'go back to the last page', source code would show on the browser as plain text.
Yet another reason to switch from JSP to Flash based interfaces ;)
This is the reason to use tag library & bean in JSP!