COMMAND

    Tomcat

SYSTEMS AFFECTED

    Tomcat 4.0-b2 for winnt/2000

PROBLEM

    'lovehacker'   found   following   (CHINANSL   Security   Advisory
    CSA-200110).  A security  vulnerability has been found  in Windows
    NT/2000  systems   that  have   Tomcat  4.0-b2   installed.    The
    vulnerability allows remote attackers to get ".jsp" source.

    Exploit:

        http://target:8080/examples/snp/snoop%252ejsp

    Sverre  H.  Huseby   added  following.    Tomcat,  the   Reference
    Implementation for the Java  Servlet 2.2 and JavaServer  Pages 1.1
    Technologies, may be tricked into revealing the source code of JSP
    scripts by using simple URL encoding.  It seems that the built  in
    web server in affected versions of Tomcat does URL decoding twice.
    URLs like the following

        http://someplace.com:8080/index.js%2570

    where %25 is an URL encoded  '%', and 70 is the hexadecimal  value
    for 'p', returns the source code of index.jsp rather than  running
    the script on the server side.

    To speculate (read: guess): The JSP handler is skipped as this URL
    does not end  in ".jsp" (after  URL decoding the  first time), but
    the static file handler is  nevertheless able to map the  URL into
    a correct file name (doing URL decoding a second time).

    This design error  makes it possible  to fetch the  source code of
    JSP scripts.  Such source code may contain database passwords  and
    file names, and may reveal design errors or programming bugs  that
    make it possible to further exploit the server or service.

SOLUTION

    The Tomcat team  was notified on  2001-04-01, and they  provided a
    fix on 2001-04-03.   Everybody should upgrade  to at least  Tomcat
    4.0 beta 3.