COMMAND

    Tomcat

SYSTEMS AFFECTED

    Tomcat 4.0-b1

PROBLEM

    Sverre  H.  Huseby   found  following.    Tomcat  4.0-b1   (latest
    milestone)  and  nighly  build  as  of  2001-03-28  tested.  Other
    versions may be vulnerable too.  The problem is only present  when
    using Tomcat's  built in  web server,  not when  using Tomcat with
    Apache Web Server.

    Tomcat, the Reference Implementation for the Java Servlet 2.2  and
    JavaServer Pages 1.1 Technologies,  may be tricked into  revealing
    the source code of JSP scripts by using simple URL encoding.

    It seems that the built in web server in Tomcat does URL  decoding
    in an unreasonable order.  URLs like the following

        http://XXX:8080/examples/jsp/num/numguess.js%70

    where  %70  is  an  URL  encoded  'p',  returns the source code of
    index.jsp rather than running the script on the server side.

    To speculate: The JSP handler is skipped as this URL does not  end
    in ".jsp",  but the  static file  handler is  nevertheless able to
    map the URL into a correct file name.

    This design error  makes it possible  to fetch the  source code of
    JSP scripts.  Such source code may contain database passwords  and
    file names, and may reveal design errors or programming bugs  that
    make it possible to further exploit the server or service.

    Another way to exploit:

        http://target:8080/examples/snp/snoop%2ejsp

    There is  another way  to get  the source  from a  jsp page  using
    Tomcat.  If  you don't write  HTTP/1.0 or HTTP/1.1  in the end  of
    the GET  request, you  will get  the source  code and  not the jsp
    processed.

SOLUTION

    It has been fixed in Tomcat 4.0 beta 2.