SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Tomcat Vendors:  Apache Software Foundation
Apache Tomcat Java Server Default Servlet Returns JSP Source Code to Remote Users
SecurityTracker Alert ID:  1005290
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 26 2002
Impact:  Disclosure of system information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 4.0.4, 4.1.10
Description:  An information disclosure vulnerability was reported in Apache Tomcat in the org.apache.catalina.servlets.DefaultServlet servlet. A remote user can view servlet source code.

It is reported that a remote user can request a specially crafted URL to view the unprocessed source of a JSP page or, under special circumstances, an ostensibly protected static resource.

A demonstration exploit URL that can be used to retrieve the code of http://my.site/login.jsp is provided:

http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp

The full syntax of the exploit URL is provided:

http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet/[context_relative_path/]file_name.jsp
Impact:  A remote user can view JSP source code on the server.
Solution:  The vendor has released fixed versions (4.0.5, 4.1.12).

Binary and source distributions for Apache Tomcat 4.1.12 Stable are available at:

http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Binary and source distributions for Apache Tomcat 4.0.5 are available at:

http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

The vendor has indicated that an easy workaround exists for existing Tomcat installations that involves disabling the invoker servlet in the default webapp configuration.

In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment:

<servlet-mapping> <servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern> </servlet-mapping>
Vendor URL:  jakarta.apache.org/site/news.html (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
Reported By:  Rossen Raykov <Rossen.Raykov@CognicaseUSA.com>
Message History:   None.

 Source Message Contents
Date:  Tue, 24 Sep 2002 10:12:44 -0400
From:  Rossen Raykov <Rossen.Raykov@CognicaseUSA.com>
Subject:  JSP source code exposure in Tomcat 4.x

 

	Tomcat 4.x JSP source exposure security advisory

1. Summary
Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet.


2. Details:
Let say you have valid URL like http://my.site/login.jsp, then an URL like
http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
will give you the source code of  the JSP page.

The full syntaxes of the exposure URL is:

http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
/[context_relative_path/]file_name.jsp

For example to see the JSP source of Tomcat 4.1.10 admin application
http://localhost:8080/admin/index.jsp
execute
http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServ
let/index.jsp


3. Solution:
	3.1 Upgrade to the last releases 4.0.5 and 4.1.12
		See
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last
releases.

	3.2 Workaround:
There are at least two ways to protect from this vulnerability.
	A. Tomcat in tandem with HTTP server front-end:
		a. If you are using front-end HTTP server you can filter all
requests with the pattern
*/servlet/org.apache.catalina.servlets.DefaultServlet*
		b. If you are using mod_jk to connect tomcat to you
front-end server map to Tomcat only the URL's that are part from you
application but not all request. See the usage of JkMount directive.
	B. If you are using standalone Tomcat then add protection for this
location in all you application descriptors - web.xml. Simple example:

<security-constraint>
  <display-name>Default Servlet</display-name>
  <!-- Disable direct alls on the Default Servlet</web-resource-name -->
  <web-resource-collection>
    <web-resource-name>Disallowed Location</web-resource-name>
 
<url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-pat
tern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name></role-name>
  </auth-constraint>
</security-constraint>

	See the server's documentation for more details.

Regards,
Rossen Raykov

PS. Special thanks to the Tomcat development team for their quick response.

---
Rossen Raykov
COGNICASE U.S.A. Inc.
(908) 860-1100 Ext. 1140
Rossen.Raykov@CognicaseUSA.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC