Tomcat 4.0.4 and 4.1.0 Security Advisories

Discussions

News: Tomcat 4.0.4 and 4.1.0 Security Advisories

  1. Tomcat 4.0.4 and 4.1.0 Security Advisories (11 messages)

    Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to a security bug that allows browsers to see JSP source code when putting the name of the default servlet in the URL.
    org.apache.catalina.servlets.DefaultServlet.

    Let say you have valid URL like:
    http://my.site/login.jsp

    Then, if you use the following URL:
    http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp

    You will see the source code of the JSP page.

    The full syntaxes of the exposure URL is:

    http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
    /[context_relative_path/]file_name.jsp

    For example to see the JSP source of Tomcat 4.1.10 admin application http://localhost:8080/admin/index.jsp
    execute http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServlet/index.jsp

    Solution:
    Upgrade to the last releases 4.0.5 and 4.1.12
    See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases.

    More details at:
    http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0.
  2. I dont think this problem exists in 3.2.x version?

    /c
  3. tried it on my setup but its not working. maybe this is for some setup only.
  4. Tomcat 4.0.4 and 4.1.0 Security Advisories[ Go to top ]

    (tried it on my setup but its not working. maybe this is
    for some setup only)

    Maybe you forgot the 'servlet/' part in your URL?
    Notice the difference in the original message:

    http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp

    vs.

    http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
    /[context_relative_path/]file_name.jsp

    Cheers,
    Calin
  5. thank you man! it works, I can see the soures code. this is really bad if someone is putting his/her database's username and password. but for me, my jsp soures code has nothing for that, I only use jsp to view the site and all the goodies is on my Servlets. ;-)

    anyway, thank you for the "Security Advisories"
  6. Did you tried to check http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServlet/WEB-INF/classes/com.your.bean.class yet? :)
  7. I don't see anything, I got the following message:

    Apache Tomcat/4.0.1 - HTTP Status 404 - /WEB-INF/com.XXXX.UserBean.class

    type Status report

    message /WEB-INF/com.XXXX.UserBean.class

    description The requested resource (/WEB-INF/com.XXXX.UserBean.class) is not available.
  8. It works on the JBoss-2.4.6_Tomcat-4.0.3 which I use now.

    vincent
  9. i suppose it depands upon what browser clients use, for nothing happens when the browser i start up is ie5.x, but in mozilla1.0 i can see the source code.
  10. sorry, it's wrong. the condition, ie5.x, should be worse. only click the button of 'go back to the last page', source code would show on the browser as plain text.
  11. Yet another reason to switch from JSP to Flash based interfaces ;)
  12. This is the reason to use tag library & bean in JSP!