Bug 13365 - JSP source disclosure vulnerability not fixed when invoking servlets by name
JSP source disclosure vulnerability not fixed when invoking servlets by name
Status: RESOLVED FIXED
Product: Tomcat 4
Classification: Unclassified
Component: Catalina
4.1.12
All All
: P3 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2002-10-07 16:05 UTC by tmoore
Modified: 2004-11-16 19:05 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tmoore 2002-10-07 16:05:17 UTC
The fix for the JSP source disclosure security hole is incomplete.  Currently, 
it rejects servlet names starting with org.apache.catalina, but this solution 
fails to take into account the fact that servlets can be invoked by their name, 
and not just their class name.  To see an example of this, on a stock 4.1.12 
installation, uncomment the invoker servlet mapping in the default web.xml and 
go to this URL:

http://localhost:8080/examples/servlet/default/jsp/snp/snoop.jsp

The important part is the "/servlet/default" fragment, which will bypass the 
new security checks and invoke the default servlet.

Although this is less of a problem than the one discovered originally (since 
the servlet mapping is commented out by default) I believe that a lot of people 
using Tomcat are relying on the invoker servlet, and so uncommented the mapping 
in their 4.0.5 and 4.1.12 installations.  Therefore there's reason to believe 
that there are still a large number of vulnerable servers out there.

I haven't tested this on 4.0.5, but I'm assuming that it's also vulnerable.
Comment 1 Kan Ogawa 2002-10-07 16:41:45 UTC
For examples, by applying the following patch, is this bug fixed ???

Index: jakarta-tomcat-4.0/catalina/src/conf/web.xml
===================================================================
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v
retrieving revision 1.44
diff -u -w -r1.44 web.xml
--- jakarta-tomcat-4.0/catalina/src/conf/web.xml	21 Sep 2002 16:23:28 -
0000	1.44
+++ jakarta-tomcat-4.0/catalina/src/conf/web.xml	7 Oct 2002 16:21:49 -
0000
@@ -41,7 +41,7 @@
   <!--                       rejected?  [true]                              -->
 
     <servlet>
-        <servlet-name>default</servlet-name>
+        <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-
name>
         <servlet-class>
           org.apache.catalina.servlets.DefaultServlet
         </servlet-class>
@@ -265,7 +265,7 @@
 
     <!-- The mapping for the default servlet -->
     <servlet-mapping>
-        <servlet-name>default</servlet-name>
+        <servlet-name>org.apache.catalina.servlets.DefaultServlet</servlet-
name>
         <url-pattern>/</url-pattern>
     </servlet-mapping>
 

# I individually think that a fundamental means to solve this problem is
# to abolish or remove Invoker itself.
Comment 2 Remy Maucherat 2002-10-09 14:23:40 UTC
Ok, this is fixed in all branches, and Tomcat 4.0.6 has been released (the
default Tomcat 4.0.5 installation was vulnerable).

However, NEVER EVER DISCUSS A POTENTIAL SECURITY PROBLEM ON A PUBLIC
COMMUNICATION CHANNEL, because this puts all Tomcat users at risk. The Tomcat
Team also cannot release a new version within minutes a security problem is
published. Thanks. There are *private* mailing lists for that (security at
apache.org), and you will be given all the credit you want or deserve.

I used the patch submitted as a patch which can be applied to Tomcat 4.0.5 to
resolve the problem without upgrading to 4.0.6.