I had a few spare minutes so I went ahead and grabbed last night's build. I ran it on Red Hat Linux 7.2 and can confirm the report.
Requesting foo.jsp%00.txt gets you the source. Requesting foo.jsp%00 gets you a strange page that includes some html widgets and some of the jsp source too. Surprising (at least to me) and ugly. -David -----Original Message----- From: Remy Maucherat [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: [4.0-HEAD] JSP source exposure ? Hi, I got a report about a URL based exploit against the nightly builds for TC 4 (4.0-HEAD). Basically, accessing foo.jsp%00 (or foo.jsp%00.txt) is supposed to get the source code for foo.jsp. I cannot reproduce the problem when Tomcat is running on Windows (I get a 404 for that kind of URLs). However, since I refactored the URL handling, this kind of problem may have been reintroduced. If I could get reports from people running the nightlies on Unix, that would be nice. Note: If there's a problem, it would be a good idea for the URL decoding method to complain when it encounters a null character when decoding a %xx, as I don't see a single valid use case for that (except in URL based attacks, of course). Thanks, Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
