hi,
just wrote this script for the new tomcat problem.
i needed a second if clause, because tomcat seems to react somehow
different.
example:
http://www.xo.gr/servlet/org.apache.catalina.servlets.DefaultServlet/index.j
sp (200 server status, found once)
http://www.oceansatlas.org/servlet/org.apache.catalina.servlets.DefaultServl
et/index.jsp (normal reaction, found most times)
greets,
felix
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
----- Original Message -----
From: "Rossen Raykov" <Rossen.Raykov@CognicaseUSA.com>
To: "BugTraq (E-mail)" <bugtraq@securityfocus.com>
Sent: Tuesday, September 24, 2002 4:12 PM
Subject: JSP source code exposure in Tomcat 4.x
> Tomcat 4.x JSP source exposure security advisory
>
> 1. Summary
> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
> vulnerable to source code exposure by using the default servlet
> org.apache.catalina.servlets.DefaultServlet.
>
>
> 2. Details:
> Let say you have valid URL like http://my.site/login.jsp, then an URL like
>
http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
> will give you the source code of the JSP page.
>
> The full syntaxes of the exposure URL is:
>
>
http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
> /[context_relative_path/]file_name.jsp
>
> For example to see the JSP source of Tomcat 4.1.10 admin application
> http://localhost:8080/admin/index.jsp
> execute
>
http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServ
> let/index.jsp
>
>
> 3. Solution:
> 3.1 Upgrade to the last releases 4.0.5 and 4.1.12
> See
> http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last
> releases.
>
> 3.2 Workaround:
> There are at least two ways to protect from this vulnerability.
> A. Tomcat in tandem with HTTP server front-end:
> a. If you are using front-end HTTP server you can filter all
> requests with the pattern
> */servlet/org.apache.catalina.servlets.DefaultServlet*
> b. If you are using mod_jk to connect tomcat to you
> front-end server map to Tomcat only the URL's that are part from you
> application but not all request. See the usage of JkMount directive.
> B. If you are using standalone Tomcat then add protection for this
> location in all you application descriptors - web.xml. Simple example:
>
> <security-constraint>
> <display-name>Default Servlet</display-name>
> <!-- Disable direct alls on the Default Servlet</web-resource-name -->
> <web-resource-collection>
> <web-resource-name>Disallowed Location</web-resource-name>
>
>
<url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-pat
> tern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name></role-name>
> </auth-constraint>
> </security-constraint>
>
> See the server's documentation for more details.
>
> Regards,
> Rossen Raykov
>
> PS. Special thanks to the Tomcat development team for their quick
response.
>
> ---
> Rossen Raykov
> COGNICASE U.S.A. Inc.
> (908) 860-1100 Ext. 1140
> Rossen.Raykov@CognicaseUSA.com
just wrote this script for the new tomcat problem.
i needed a second if clause, because tomcat seems to react somehow
different.
example:
http://www.xo.gr/servlet/org.apache.catalina.servlets.DefaultServlet/index.j
sp (200 server status, found once)
http://www.oceansatlas.org/servlet/org.apache.catalina.servlets.DefaultServl
et/index.jsp (normal reaction, found most times)
greets,
felix
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
----- Original Message -----
From: "Rossen Raykov" <Rossen.Raykov@CognicaseUSA.com>
To: "BugTraq (E-mail)" <bugtraq@securityfocus.com>
Sent: Tuesday, September 24, 2002 4:12 PM
Subject: JSP source code exposure in Tomcat 4.x
> Tomcat 4.x JSP source exposure security advisory
>
> 1. Summary
> Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
> vulnerable to source code exposure by using the default servlet
> org.apache.catalina.servlets.DefaultServlet.
>
>
> 2. Details:
> Let say you have valid URL like http://my.site/login.jsp, then an URL like
>
http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
> will give you the source code of the JSP page.
>
> The full syntaxes of the exposure URL is:
>
>
http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
> /[context_relative_path/]file_name.jsp
>
> For example to see the JSP source of Tomcat 4.1.10 admin application
> http://localhost:8080/admin/index.jsp
> execute
>
http://localhost:8080/admin/servlet/org.apache.catalina.servlets.DefaultServ
> let/index.jsp
>
>
> 3. Solution:
> 3.1 Upgrade to the last releases 4.0.5 and 4.1.12
> See
> http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/ for the last
> releases.
>
> 3.2 Workaround:
> There are at least two ways to protect from this vulnerability.
> A. Tomcat in tandem with HTTP server front-end:
> a. If you are using front-end HTTP server you can filter all
> requests with the pattern
> */servlet/org.apache.catalina.servlets.DefaultServlet*
> b. If you are using mod_jk to connect tomcat to you
> front-end server map to Tomcat only the URL's that are part from you
> application but not all request. See the usage of JkMount directive.
> B. If you are using standalone Tomcat then add protection for this
> location in all you application descriptors - web.xml. Simple example:
>
> <security-constraint>
> <display-name>Default Servlet</display-name>
> <!-- Disable direct alls on the Default Servlet</web-resource-name -->
> <web-resource-collection>
> <web-resource-name>Disallowed Location</web-resource-name>
>
>
<url-pattern>/servlet/org.apache.catalina.servlets.DefaultServlet/*</url-pat
> tern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name></role-name>
> </auth-constraint>
> </security-constraint>
>
> See the server's documentation for more details.
>
> Regards,
> Rossen Raykov
>
> PS. Special thanks to the Tomcat development team for their quick
response.
>
> ---
> Rossen Raykov
> COGNICASE U.S.A. Inc.
> (908) 860-1100 Ext. 1140
> Rossen.Raykov@CognicaseUSA.com
Attached Files:
-
tomcat.nasl (1.92 KB)