748 – JSP Source Disclosure Vulnerability

Bug 748 - JSP Source Disclosure Vulnerability

Summary: JSP Source Disclosure Vulnerability

Status:	CLOSED LATER

Alias:	None

Product:	Tomcat 3
Classification:	Unclassified
Component:	Servlet (show other bugs)
Version:	3.2.1 Final
Hardware:	All All

Importance:	P1 critical (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2001-02-28 07:36 UTC by Yoshiyuki Karezaki
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
Patch for Bug 748 (2.20 KB, patch) 2001-02-28 07:40 UTC, Yoshiyuki Karezaki	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yoshiyuki Karezaki 2001-02-28 07:36:37 UTC

This problem has been reported in tomcat-dev by Kazuhiro Kazama before.
But it doesn't seem to fix yet , I report again.

----- begin of Kazama's report -----
From: kazama@ingrid.org (Kazuhiro Kazama)
Subject: Re: Bug Report #649
Date: Fri, 22 Dec 2000 11:43:01 +0900
Message-ID: <20001222114301I.kazama@ingrid.org>
> This bug may be system dependent. Would you describe your OS and its
> release?

I analyzed this problem in cooperation with JavaHouse-Brewers mailing
list (Java technical discussions in Japan) and found there are two
bugs.

These bugs resembles ServletExec JSP source disclosure vulnerability
(http://www.securityfocus.com/bid/1970) in situation.

1, When you adds "%20" (in fact, URL encoded character or its
sequences from %01 to %20) to an URL's end, Tomcat returns a JSP
source code instead of its result.

When you uses mod_jk and delegates all HTTP requests under the
directory specified by a "JkMount" directive to Tomcat, this bug comes
out.

Example:
        http://localhost/examples/jsp/num/numguess.jsp%20

Workaround:
Apply an atached patch to your Tomcat 3.2.1. This patch removes extra
trim() which is remove U+0000 - U+0020 characters from an URL.

2, When you adds '.' or "%2E" (= '.') to an URL's end, Apache server
(not Tomcat) returns a JSP source code of JSP files.

This is a Windows bug and I confirmed it on Windows 98 and Windows
2000. But a security measure is needed to Apache server.

When you uses mod_jk on Windows and JSP files is accessible from your
apache server by adding an "Alias" directive, This bug comes out.

Example:
        http://localhost/examples/jsp/num/numguess.jsp.
        http://localhost/examples/jsp/num/numguess.jsp%2E

Workaround:
On Windows platform, don't use "Alias" directive for mounting your Web
application directory. Tomcat generates "mod_jk.conf-auto" has "Alias"
directives so that you should fix it on Windows.

This bug may be correctable but I have no time to fix Apache server. I
hope someone will inform better solution.

By the way, these bugs don't happen on Tomcat & mod_jserv. But I don't
think that it is a good idea to use a mod_jserv module on Tomcat 3.2.1
because this behavior may depend anothor mod_jserv bugs.

Kazuhiro Kazama (kazama@ingrid.org)             NTT Network Innovation 
Laboratories
----- end of Kazama's report -----

Comment 1 Yoshiyuki Karezaki 2001-02-28 07:40:53 UTC

Created attachment 28 [details]
Patch for Bug 748

Comment 2 tomcatbug 2001-03-19 17:20:29 UTC

A variation of this bug seems to show itself when you telnet to the tomcat 
servers port, issue a GET and don't specify a protocol!

telnet 10.0.3.2
8080                                                                            
           
Trying 10.0.3.2...
Connected to 10.0.3.2.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp

HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Fri, 16 Mar 2001 19:11:58 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.2.2; 
Windows 95 4.10 x86; java.vendor=Sun Microsystems Inc.)

<!--
  Copyright (c) 1999 The Apache Software Foundation.  All rights 
  reserved.

  Number Guess Game
  Written by Jason Hunter, CTO, K&A Software
  http://www.servlets.com
-->

<%@ page import = "num.NumberGuessBean" %>

<jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
<jsp:setProperty name="numguess" property="*"/>

<html>
<head><title>Number Guess</title></head>
<body bgcolor="white">
<font size=4>

<% if (numguess.getSuccess()) { %>

  Congratulations!  You got it.
  And after just <%= numguess.getNumGuesses() %> tries.<p>

  <% numguess.reset(); %>

  Care to <a href="numguess.jsp">try again</a>?

<% } else if (numguess.getNumGuesses() == 0) { %>

  Welcome to the Number Guess game.<p>

  I'm thinking of a number between 1 and 100.<p>

  <form method=get>
  What's your guess? <input type=text name=guess>
  <input type=submit value="Submit">
  </form>

<% } else { %>

  Good guess, but nope.  Try <b><%= numguess.getHint() %></b>.

  You have made <%= numguess.getNumGuesses() %> guesses.<p>

  I'm thinking of a number between 1 and 100.<p>

  <form method=get>
  What's your guess? <input type=text name=guess>
  <input type=submit value="Submit">
  </form>

<% } %>

</font>
</body>
</html>
Connection closed by foreign host.

Comment 3 Yoshiyuki Karezaki 2001-03-20 06:41:32 UTC

Above HTTP 0.9(GET without specify protocol) problem was fixed Tomcat 3.2.2b1 & 
Tomcat 3.3m1.

Comment 4 Marc Saegesser 2001-03-20 14:33:27 UTC

As the last comment states this has been fixed in 3.2.2b1 and 3.3.  I'm not 
sure if the 4.0 fix has been applied yet so I'm leaving this open.

Comment 5 Costin Manolache 2001-09-13 22:13:20 UTC

Closing the bug, it has been fixed in all tomca versions.