I figured out the difference that's causing the URL to be decoded twice. It
seems that as of JDK1.3.0 URLs using the file: scheme are now decoded like
http: scheme URLs. For example file:c:\temp\%2e%2e\fubar.txt are
interpreted as file:c:\temp\..\fubar.txt. In JDK1.2.2 this would have
generated a FileNotFoundException.
I think this is a bug, file URLs should not be URL decoded. We'll see if
Sun agrees, but in the mean time I'll handle this in Tomcat to prevent file
contents from being exposed.
> -----Original Message-----
> From: Marc Saegesser [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 05, 2001 10:05 AM
> To: [EMAIL PROTECTED]
> Subject: RE: TC3.2.x and security problems
>
>
> Here's an update. I've installed JDK1.3.0 and JDK1.3.1-beta and
> tested the
> following URLs.
>
> All the tests were run on Win2000 using Tomcat 3.2.2b2. The only
> difference
> between these runs was the value of the JAVA_HOME environment variable.
>
> The security problems I could duplicate *only* occurred when
> using JDK1.3.x.
> They *never* happened with JDK1.2.2. I was able to duplicate problems
> (directory listing and file contents) for URLs using sequences of
> /%252e%252e to 'escape' from the web application directory. None of the
> /%2e%2e attacks worked.
>
> I would appreciate it if others could try these URLs on other platforms to
> see if their results vary. I'm going to investigate the JDK1.3 issues on
> Win2000.
>
> GET /examples/jsp/num/numguess.jsp%00
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%252e%252e/%252e%252e/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> Directory listing
> JDK1.3.1 --> Directory listing
>
> GET /examples/jsp/num/numguess.js%2570
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%2e%2e/%2e%2e/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%2e%2e/%2e%2e%5cLICENSE/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> 404
> JDK1.3.1 --> 404
>
> GET /%252e%252e/%252e%252e%5cLICENSE/%00.jsp
> JDK1.2.2 --> 404
> JDK1.3.0 --> File contents
> JDK1.3.1 --> File contents
>
