|
COMMAND Tomcat JSP source code exposure SYSTEMS AFFECTED Tomcat 4.x PROBLEM Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. Let say you have valid URL like http://my.site/login.jsp, then an URL like http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp will give you the source code of the JSP page. The full syntaxes of the exposure URL is: http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet/[context_relative_path/]file_name.jsp For example to see the JSP source of Tomcat 4.1.10 admin application http://localhost:8080/admin/index.jsp execute http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServlet/index.jsp SOLUTION Upgrade to the last releases 4.0.5 and 4.1.12, See http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last releases Workaround: ========== There are at least two ways to protect from this vulnerability. A. Tomcat in tandem with HTTP server front-end: a. If you are using front-end HTTP server you can filter all requests with the pattern */servlet/org.apache.catalina.servlets.DefaultServlet* b. If you are using mod_jk to connect tomcat to you front-end server map to Tomcat only the URL's that are part from you application but not all request. See the usage of JkMount directive. B. If you are using standalone Tomcat then add protection for this location in all you application descriptors - web.xml. Simple example: <security-constraint> <display-name>Default Servlet</display-name> <!-- Disable direct alls on the Default Servlet</web-resource-name --> <web-resource-collection> <web-resource-name>Disallowed Location</web-resource-name> <url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-pat tern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name></role-name> </auth-constraint> </security-constraint> See the server's documentation for more details. Update (26 september 2002) ====== Martin Robson [http://www.radialsoftware.com] says : No your best bet is to comment out the following line (and no it won't be all on one line) from your web.xml file then schedule to upgrade to Tomcat 4.1.12 Stable or Tomcat 4.0.5. <servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping> The Jakarta Team has already posted a response to this bug, it can be viewed here: http://jakarta.apache.org/site/news.html