On Tue, Apr 03, 2001 at 04:04:46PM -0700, Jon Stevens wrote:
>
> ----------
> From: "Sverre H. Huseby" <[EMAIL PROTECTED]>
> Reply-To: "Sverre H. Huseby" <[EMAIL PROTECTED]>
> Date: Tue, 3 Apr 2001 10:25:26 +0200
> To: [EMAIL PROTECTED]
> Subject: Tomcat may reveal script source code by URL trickery 2
[...]
> Systems affected
> ----------------
>
> Tomcat 4.0-b2, which includes fixes for a similar bug. Other versions
> before 4.0-b3 may be vulnerable too.
>
> The Tomcat team was notified on 2001-04-01, and they provided a fix on
> 2001-04-03. Everybody should upgrade to at least Tomcat 4.0 beta 3.
As far as I understand and can verify by testing, both Tomcat 3.2.1
and 3.2.2b2 are vulnerable to variations of this attack. What is the
correct solution for people using 3.2.1, since that is the recommended
release for production use?
$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2
i386; java.vendor=Caldera Systems Inc.)
[numguess.jsp source follows]
$ telnet localhost 8180
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp%00
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT
Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.3.0;
Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.)
[numguess.jsp source follows]
Also could someone more familiar with the Tomcat code explain the
problem in more detail? I'm still new to Tomcat, so a pointer to
the relevant parts of the source would be very much appreciated.
Thanks
--
Stephan Seyboth - Developer
Caldera (Deutschland) GmbH
http://www.caldera.de/
