This problem has been reported in tomcat-dev by Kazuhiro Kazama before. But it doesn't seem to fix yet , I report again. ----- begin of Kazama's report ----- From: kazama@ingrid.org (Kazuhiro Kazama) Subject: Re: Bug Report #649 Date: Fri, 22 Dec 2000 11:43:01 +0900 Message-ID: <20001222114301I.kazama@ingrid.org> > This bug may be system dependent. Would you describe your OS and its > release? I analyzed this problem in cooperation with JavaHouse-Brewers mailing list (Java technical discussions in Japan) and found there are two bugs. These bugs resembles ServletExec JSP source disclosure vulnerability (http://www.securityfocus.com/bid/1970) in situation. 1, When you adds "%20" (in fact, URL encoded character or its sequences from %01 to %20) to an URL's end, Tomcat returns a JSP source code instead of its result. When you uses mod_jk and delegates all HTTP requests under the directory specified by a "JkMount" directive to Tomcat, this bug comes out. Example: http://localhost/examples/jsp/num/numguess.jsp%20 Workaround: Apply an atached patch to your Tomcat 3.2.1. This patch removes extra trim() which is remove U+0000 - U+0020 characters from an URL. 2, When you adds '.' or "%2E" (= '.') to an URL's end, Apache server (not Tomcat) returns a JSP source code of JSP files. This is a Windows bug and I confirmed it on Windows 98 and Windows 2000. But a security measure is needed to Apache server. When you uses mod_jk on Windows and JSP files is accessible from your apache server by adding an "Alias" directive, This bug comes out. Example: http://localhost/examples/jsp/num/numguess.jsp. http://localhost/examples/jsp/num/numguess.jsp%2E Workaround: On Windows platform, don't use "Alias" directive for mounting your Web application directory. Tomcat generates "mod_jk.conf-auto" has "Alias" directives so that you should fix it on Windows. This bug may be correctable but I have no time to fix Apache server. I hope someone will inform better solution. By the way, these bugs don't happen on Tomcat & mod_jserv. But I don't think that it is a good idea to use a mod_jserv module on Tomcat 3.2.1 because this behavior may depend anothor mod_jserv bugs. Kazuhiro Kazama (kazama@ingrid.org) NTT Network Innovation Laboratories ----- end of Kazama's report -----
Created attachment 28 [details] Patch for Bug 748
A variation of this bug seems to show itself when you telnet to the tomcat servers port, issue a GET and don't specify a protocol! telnet 10.0.3.2 8080 Trying 10.0.3.2... Connected to 10.0.3.2. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Fri, 16 Mar 2001 19:11:58 GMT Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.2.2; Windows 95 4.10 x86; java.vendor=Sun Microsystems Inc.) <!-- Copyright (c) 1999 The Apache Software Foundation. All rights reserved. Number Guess Game Written by Jason Hunter, CTO, K&A Software http://www.servlets.com --> <%@ page import = "num.NumberGuessBean" %> <jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/> <jsp:setProperty name="numguess" property="*"/> <html> <head><title>Number Guess</title></head> <body bgcolor="white"> <font size=4> <% if (numguess.getSuccess()) { %> Congratulations! You got it. And after just <%= numguess.getNumGuesses() %> tries.<p> <% numguess.reset(); %> Care to <a href="numguess.jsp">try again</a>? <% } else if (numguess.getNumGuesses() == 0) { %> Welcome to the Number Guess game.<p> I'm thinking of a number between 1 and 100.<p> <form method=get> What's your guess? <input type=text name=guess> <input type=submit value="Submit"> </form> <% } else { %> Good guess, but nope. Try <b><%= numguess.getHint() %></b>. You have made <%= numguess.getNumGuesses() %> guesses.<p> I'm thinking of a number between 1 and 100.<p> <form method=get> What's your guess? <input type=text name=guess> <input type=submit value="Submit"> </form> <% } %> </font> </body> </html> Connection closed by foreign host.
Above HTTP 0.9(GET without specify protocol) problem was fixed Tomcat 3.2.2b1 & Tomcat 3.3m1.
As the last comment states this has been fixed in 3.2.2b1 and 3.3. I'm not sure if the 4.0 fix has been applied yet so I'm leaving this open.
Closing the bug, it has been fixed in all tomca versions.