TUCoPS :: Web :: General :: web5709.htm

Tomcat JSP source code exposure
25th Sep 2002 [SBWID-5709]
COMMAND

	Tomcat JSP source code exposure

SYSTEMS AFFECTED

	Tomcat 4.x

PROBLEM

	Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions  also)  are
	vulnerable to source code exposure by using the default servlet
	

	org.apache.catalina.servlets.DefaultServlet.

	

	Let say you have valid URL like http://my.site/login.jsp,  then  an  URL
	like
	

	http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp

	

	will give you the source code of  the JSP page.
	

	The full syntaxes of the exposure URL is:
	

	http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet/[context_relative_path/]file_name.jsp

	

	For example to see the JSP source of Tomcat 4.1.10 admin application
	

	http://localhost:8080/admin/index.jsp

	

	execute
	

	http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServlet/index.jsp

	

SOLUTION

	Upgrade to the last releases 4.0.5 and 4.1.12, See
	

	http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ 

	

	for the last releases
	

	 Workaround:

	 ==========

	

	There are at least two ways to protect from this vulnerability.
	

	 A. Tomcat in tandem with HTTP server front-end:

	  a. If you are using front-end HTTP server you can filter all

	     requests with the pattern

	

	     */servlet/org.apache.catalina.servlets.DefaultServlet*

	 

	  b. If you are using mod_jk to connect tomcat to you

	     front-end server map to Tomcat only the URL's that are part from you

	     application but not all request. See the usage of JkMount directive.

	

	 B. If you are using standalone Tomcat then add protection for this

	    location in all you application descriptors - web.xml. Simple example:

	

	<security-constraint>

	  <display-name>Default Servlet</display-name>

	  <!-- Disable direct alls on the Default Servlet</web-resource-name -->

	  <web-resource-collection>

	    <web-resource-name>Disallowed Location</web-resource-name>

	 

	<url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-pat

	tern>

	    <http-method>DELETE</http-method>

	    <http-method>GET</http-method>

	    <http-method>POST</http-method>

	    <http-method>PUT</http-method>

	  </web-resource-collection>

	  <auth-constraint>

	    <role-name></role-name>

	  </auth-constraint>

	</security-constraint>

	

	  See the server's documentation for more details.

	

	 Update (26 september 2002)

	 ======

	

	Martin Robson [http://www.radialsoftware.com] says :
	

	No your best bet is to comment out the following line (and no  it  won't
	be all on one line) from your web.xml file then schedule to  upgrade  to
	Tomcat 4.1.12 Stable or Tomcat 4.0.5.
	

	<servlet-mapping> <servlet-name>invoker</servlet-name>

	<url-pattern>/servlet/*</url-pattern> </servlet-mapping> 

	

	The Jakarta Team has already posted a response to this bug,  it  can  be
	viewed here:
	

	http://jakarta.apache.org/site/news.html

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH