COMMAND

    Tomcat

SYSTEMS AFFECTED

    Tomcat

PROBLEM

    'ET LoWNOISE ' found following.  Example:

        http://host/\index.jsp
        
        Error: 500
        Location: /index.jsp
        Internal Servlet Error:
        
        org.apache.jasper.JasperException: Unable to compile class for JSP
        C:\tomcat\jakarta-tomcat-3.2.1\work\localhost_8080\_0002findex_0002ejspindex_jsp_69.java:482:
        Method autenticate(java.lang.String) not found in class ENTERPRISE.login.
                        if(pubBean.autenticate(password) != 0)
                                                   ^
        C:\tomcat\jakarta-tomcat-3.2.1\work\localhost_8080\_0002findex_0002ejspindex_jsp_69.java:664:
        Method
        Others methods...

    This  info  will  help  debug  any  jsp.   And maybe give you some
    critical info.

    Charles  Miller  has  been  entirely  unable  to replicate the DOS
    portion of the problem, but here's a better write-up of the  "path
    revealing" portion.

    In a  Java Server  Pages system,  the JSP  files are compiled into
    Java  classes  before  being  executed.   The  compilation process
    happens  the  first  time  the  JSP  file  is accessed after it is
    modified,  so  in  the  absence  of  proper  system  testing,  any
    compilation  errors  will  be  caught  at  access time rather than
    during  deployment.   JSP  pages  can  also  throw exceptions in a
    number of circumstances, which  will lead to error  messages being
    displayed.

    In jakarta-tomcat the default  error page consists of  the message
    of the exception that was thrown, and a stack-trace.  In the  case
    of a  JSP compilation  error, the  exception message  contains the
    absolute  path  to  the  JSP  source  and  a  description  of  the
    compilation error.   The stack-trace always  contains the list  of
    method calls leading up to the creation of the exception.

    While this is very useful  in a development environment, it  gives
    an attacker  information about  the structure  of the  code behind
    the application, and possibly the  location of the JSP within  the
    host filesystem.

SOLUTION

    In a production system, NEVER use the default error page.  You may
    create a custom error page  for your web application by  using the
    <error-page>  directive  in  web.xml.   For  example,  placing the
    following   within   your   <web-app>    will   catch   all    JSP
    compilation/runtime exceptions  and redirect  them to  the page of
    your choice:

        <error-page>
           <exception-type>org.apache.jasper.JasperException</exception>
           <location>/safeErrorPage.html</location>
        </error-page>