ET LoWNOISE propagated the following meme: > --[ LoWNOISE ] Aug/2001 > --[ Jakarta-Tomcat v3.2.1 Maybe Others ] > > Tested on: Apache 1.3.19 (WinNT 4.0) > > The Problems: > > --[Path Revealing and Method discovery ] This is really a terrible advisory, and it's largely a non-problem anyway. I have been entirely unable to replicate the DOS portion of the problem, but here's a better write-up of the "path revealing" portion. Background: =========== In a Java Server Pages system, the JSP files are compiled into Java classes before being executed. The compilation process happens the first time the JSP file is accessed after it is modified, so in the absence of proper system testing, any compilation errors will be caught at access time rather than during deployment. JSP pages can also throw exceptions in a number of circumstances, which will lead to error messages being displayed. Problem: ======== In jakarta-tomcat the default error page consists of the message of the exception that was thrown, and a stack-trace. In the case of a JSP compilation error, the exception message contains the absolute path to the JSP source and a description of the compilation error. The stack-trace always contains the list of method calls leading up to the creation of the exception. While this is very useful in a development environment, it gives an attacker information about the structure of the code behind the application, and possibly the location of the JSP within the host filesystem. Solution: ========= In a production system, NEVER use the default error page. You may create a custom error page for your web application by using the <error-page> directive in web.xml. For example, placing the following within your <web-app> will catch all JSP compilation/runtime exceptions and redirect them to the page of your choice: <error-page> <exception-type>org.apache.jasper.JasperException</exception> <location>/safeErrorPage.html</location> </error-page> Charles Miller (Hi, Paul)
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 07:35:19 PDT