Re: [LoWNOISE] Tomcat 3.2.1 ..0 DoS (WinNT)

From: Charles Miller (cmillerat_private)
Date: Fri Aug 17 2001 - 03:43:20 PDT

Next message: Gary: "[Real Security] Advisory for Nudester 1.10"

Previous message: Thomas Biege: "SuSE Security Announcement: fetchmail (SuSE-SA:2001:026)"
In reply to: ET LoWNOISE: "[LoWNOISE] Tomcat 3.2.1 ..0 DoS (WinNT)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ET LoWNOISE propagated the following meme:
> --[ LoWNOISE ]  Aug/2001
> --[ Jakarta-Tomcat v3.2.1 Maybe Others ]
> 
> Tested on: Apache 1.3.19 (WinNT 4.0)
> 
> The Problems:
> 
> --[Path Revealing and Method discovery ]

This is really a terrible advisory, and it's largely a non-problem
anyway. I have been entirely unable to replicate the DOS portion of the
problem, but here's a better write-up of the "path revealing" portion.


Background:
===========

In a Java Server Pages system, the JSP files are compiled into Java
classes before being executed. The compilation process happens the first
time the JSP file is accessed after it is modified, so in the absence
of proper system testing, any compilation errors will be caught at access
time rather than during deployment. JSP pages can also throw exceptions
in a number of circumstances, which will lead to error messages being
displayed.

Problem:
========

In jakarta-tomcat the default error page consists of the message of the
exception that was thrown, and a stack-trace. In the case of a JSP
compilation error, the exception message contains the absolute path to the
JSP source and a description of the compilation error. The stack-trace
always contains the list of method calls leading up to the creation of the
exception.

While this is very useful in a development environment, it gives an
attacker information about the structure of the code behind the
application, and possibly the location of the JSP within the host
filesystem.

Solution:
=========

In a production system, NEVER use the default error page. You may
create a custom error page for your web application by using the
<error-page> directive in web.xml. For example, placing the following
within your <web-app> will catch all JSP compilation/runtime exceptions
and redirect them to the page of your choice:

<error-page>
   <exception-type>org.apache.jasper.JasperException</exception>
   <location>/safeErrorPage.html</location>
</error-page>

Charles Miller
   (Hi, Paul)

Next message: Gary: "[Real Security] Advisory for Nudester 1.10"
Previous message: Thomas Biege: "SuSE Security Announcement: fetchmail (SuSE-SA:2001:026)"
In reply to: ET LoWNOISE: "[LoWNOISE] Tomcat 3.2.1 ..0 DoS (WinNT)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 07:35:19 PDT