[20027] in bugtraq
Re: Tomcat may reveal script source code by URL trickery
daemon@ATHENA.MIT.EDU (monwel)
Wed Apr 4 19:19:24 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3ACB6BCF.F84DC7D6@interhack.net>
Date: Wed, 4 Apr 2001 14:45:35 -0400
Reply-To: monwel <monwel@INTERHACK.NET>
From: monwel <monwel@INTERHACK.NET>
X-To: ericmau@BESTWAY.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Eric Daniel Mauricio wrote:
>
> There is another way to get the source from a jsp page using Tomcat.
> If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
> you will get the source code and not the jsp processed.
> In other words, use Apache + Tomcat if you intend to protect your source code.
Even if Apache is wrapping Tomcat, port 8080 (example) is still "open for
business" (*) to reveal source as described above.
It may be understood or implied but, if you do run Tomcat under Apache as
suggested, you should add the "inet" param to tomcat/conf/server.xml (and
restart) to restrict access, e.g.:
<!-- Normal HTTP -->
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="inet" value="127.0.0.1"/>
<Parameter name="port" value="8080"/>
</Connector>
(similar config for 8007, 8009, 8443, etc...as needed)
REF: http://mikal.org/interests/java/tomcat/archive/view?mesg=22911
* - in a default tomcat 3.2.1 install. Tomcat 4.0x untested
--
monwel @ interhack.net
