SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat Java Server Lets Malicious Java Servlets or JSP Pages Access Any File on the Server
SecurityTracker Alert ID:  1003739
SecurityTracker URL:  http://securitytracker.com/id/1003739
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 4.0.3
Description:   A vulnerability was reported in the Tomcat java server. A malicious servlet or JSP page could read any file on the server.

It is reported that a request dispatcher can be used to bypass the Java Security Manager sandbox, enabling a malicious servlet or JSP page to read any file from the server filesystem.

Using a request dipatcher with a relative URL (incuding '/../') reportedly allows a servlet or JSP to access files on the server filesystem, bypassing the protection the security manager provides. This reportedly only occurs when an include statement is used with a relative path.

The following is a demonstration exploit line from a file in 'foo1' (a separate context from 'foo2'):

<jsp:include page="../../../foo2/jsp/include/junk.txt"/>

Impact:   A malicious servlet or JSP page could access any file on the server.
Solution:   The vendor has released a fixed version (4.0.3), available at:

http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/

The fix is also available as a smaller binary patch which can be applied to an existing Tomcat 4.0.2 installation.

The vendor notes that people who are not using the Java Security Manager to run Tomcat do not need to upgrade.

Vendor URL:  jakarta.apache.org/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Tomcat


Tomcat 4.0.3 is available at:

http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/

This release fixes a security vulnerability allowing the use of a
request dispatcher to bypass the Java Security Manager sandbox, and
would
enable a malicious servlet or JSP page to read any file from the server
filesystem. This is the only change in this release. The fix is also
available as a smaller binary patch which can be applied to an existing
Tomcat 4.0.2 installation. People who are not using the Java Security
Manager to run Tomcat do not need to upgrade.

-----------------------------------------------------
From the Tomcat Bugzilla database (#6772):

Using a request dipatcher with a relative URL (incuding '/../') allows a 
servlet or JSP to access files on the server filesystem, bypassing the 
protection the security manager provides.

>From the original report:

The problem is this: with a more-or-less default installation of Tomcat
using the security manager, in a jsp:include you can access outside of
your context using ../../../ .  Note that in other forms of reading the
files, the security manager correctly prohibits access (both in a
jsp:include giving the real path, and in standard programmatic file 
opening with real and ../ paths).  It's just in the case of the include
with relative path that it allows access to others' files.

Here's a sample line of a jsp that should generate an error, but
doesn't.  The contexts are foo1/ and foo2/, they are defined in separate
context tags.  This line is from a file in foo1/.
<jsp:include page="../../../foo2/jsp/include/junk.txt"/>


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC