Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: General :: web5709.htm

Tomcat JSP source code exposure
25th Sep 2002 [SBWID-5709]

	Tomcat JSP source code exposure


	Tomcat 4.x


	Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions  also)  are
	vulnerable to source code exposure by using the default servlet



	Let say you have valid URL like,  then  an  URL


	will give you the source code of  the JSP page.

	The full syntaxes of the exposure URL is:



	For example to see the JSP source of Tomcat 4.1.10 admin application







	Upgrade to the last releases 4.0.5 and 4.1.12, See 


	for the last releases




	There are at least two ways to protect from this vulnerability.

	 A. Tomcat in tandem with HTTP server front-end:

	  a. If you are using front-end HTTP server you can filter all

	     requests with the pattern




	  b. If you are using mod_jk to connect tomcat to you

	     front-end server map to Tomcat only the URL's that are part from you

	     application but not all request. See the usage of JkMount directive.


	 B. If you are using standalone Tomcat then add protection for this

	    location in all you application descriptors - web.xml. Simple example:



	  <display-name>Default Servlet</display-name>

	  <!-- Disable direct alls on the Default Servlet</web-resource-name -->


	    <web-resource-name>Disallowed Location</web-resource-name>














	  See the server's documentation for more details.


	 Update (26 september 2002)



	Martin Robson [] says :

	No your best bet is to comment out the following line (and no  it  won't
	be all on one line) from your web.xml file then schedule to  upgrade  to
	Tomcat 4.1.12 Stable or Tomcat 4.0.5.

	<servlet-mapping> <servlet-name>invoker</servlet-name>

	<url-pattern>/servlet/*</url-pattern> </servlet-mapping> 


	The Jakarta Team has already posted a response to this bug,  it  can  be
	viewed here:


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH