On Fri, 30 Mar 2001, Renzo Toma wrote:
>
> Just in case you missed it.
>
I'm working on this ... (compiling as I type).
Craig
> -----Original Message-----
> From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of Sverre
> H. Huseby
> Sent: donderdag 29 maart 2001 10:12
> To: [EMAIL PROTECTED]
> Subject: Tomcat may reveal script source code by URL trickery
>
>
> Tomcat may reveal script source code by URL trickery
> ----------------------------------------------------
>
> Sverre H. Huseby advisory 2001-03-29
>
>
>
> Systems affected
> ----------------
>
> Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> tested. Other versions may be vulnerable too. The problem is only
> present when using Tomcat's built in web server, not when using Tomcat
> with Apache Web Server.
>
>
> Description
> -----------
>
> Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> Technologies, may be tricked into revealing the source code of JSP
> scripts by using simple URL encoding.
>
>
> Details
> -------
>
> It seems that the built in web server in Tomcat does URL decoding in
> an unreasonable order. URLs like the following
>
> http://XXX:8080/examples/jsp/num/numguess.js%70
>
> where %70 is an URL encoded 'p', returns the source code of index.jsp
> rather than running the script on the server side.
>
> To speculate: The JSP handler is skipped as this URL does not end in
> ".jsp", but the static file handler is nevertheless able to map the
> URL into a correct file name.
>
>
> Impact
> ------
>
> This design error makes it possible to fetch the source code of JSP
> scripts. Such source code may contain database passwords and file
> names, and may reveal design errors or programming bugs that make it
> possible to further exploit the server or service.
>
>
>
> Reported by Sverre H. Huseby, [EMAIL PROTECTED]
>
> --
> <URL:mailto:[EMAIL PROTECTED]>
> <URL:http://shh.thathost.com/>
>
>
