('binary' encoding is not supported, stored as-is) Procheckup Ltd www.procheckup.com Procheckup Security Bulletin PR02-7 Description: Tomcat multiple sample files display webroot location on default configuration on request. Date: 8/1/2002 Application: Apache Tomcat java server v3.23, 3.24. Platform: Linux/Unix Severity: Remote attackers can obtain the location of webroot Authors: Richard Brain [richard.brainat_private] Vendor Status: CVE Candidate: Not assigned Reference: www.procheckup.com/security_info/vuln.html Description: Tomcat is the free opensource Java server, http://jakarta.apache.org/tomcat/. Tomcat comes with a selection of example programs which displays the location of the webroot with no input, when Tomcat is installed with default configuration. The vulnerabilities may only work on port 8080 rather than port 80, dependant on how the webserver has been configured with Tomcat. A) Requesting the following url :- http://webserver/test/jsp/pageInfo.jsp The program crashes displaying:- Error: 500 Location: /test/jsp/pageInfo.jsp Internal Servlet Error: org.apache.jasper.JasperException: Unable to compile class for JSP/"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fpageInfo_0002ejsppageInfo_jsp_0.java:2 1: ';' expected. return " " anything <% ' "; ^ "WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fpageInfo_0002ejsppageInfo_jsp_0.java:2 1: Invalid character constant. return " " anything <% ' "; ^ 2 errors at org.apache.jasper.compiler.Compiler.compile (Compiler.java:282) at org.apache.jasper.servlet.JspServlet.doLoadJSP (JspServlet.java:612) at org.apache.jasper.servlet.JasperLoader12.loadJSP (JasperLoader12.java:146) at org.apache.jasper.servlet.JspServlet.loadJSP (JspServlet.java:542) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadI fNecessary(JspServlet.java:258) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.servi ce(JspServlet.java:268) at org.apache.jasper.servlet.JspServlet.serviceJspFile (JspServlet.java:429) at org.apache.jasper.servlet.JspServlet.service (JspServlet.java:500) at javax.servlet.http.HttpServlet.service (HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService (ServletWrapper.java:405) at org.apache.tomcat.core.Handler.service (Handler.java:287) at org.apache.tomcat.core.ServletWrapper.service (ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService (ContextManager.java:812) at org.apache.tomcat.core.ContextManager.service (ContextManager.java:758) at org.apache.tomcat.service.connector.Ajp12ConnectionHandler.p rocessConnection(Ajp12ConnectionHandler.java:166) at org.apache.tomcat.service.TcpWorkerThread.runIt (PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run (ThreadPool.java:501) at java.lang.Thread.run(Thread.java:484) B) Requesting the following url :- http://webserver/test/jsp/pageImport2.jsp Error: 500 Location: /test/jsp/pageImport2.jsp Internal Servlet Error: org.apache.jasper.JasperException: Unable to compile class for JSP/"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fpageImport_00032_0002ejsppageImport2_j sp_0.java:15: Identifier expected. import java..; ^ 1 error at org.apache.jasper.compiler.Compiler.compile (Compiler.java:282) at org.apache.jasper.servlet.JspServlet.doLoadJSP (JspServlet.java:612) at org.apache.jasper.servlet.JasperLoader12.loadJSP (JasperLoader12.java:146) at org.apache.jasper.servlet.JspServlet.loadJSP (JspServlet.java:542) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadI fNecessary(JspServlet.java:258) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.servi ce(JspServlet.java:268) at org.apache.jasper.servlet.JspServlet.serviceJspFile (JspServlet.java:429) at org.apache.jasper.servlet.JspServlet.service (JspServlet.java:500) at javax.servlet.http.HttpServlet.service (HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService (ServletWrapper.java:405) at org.apache.tomcat.core.Handler.service (Handler.java:287) at org.apache.tomcat.core.ServletWrapper.service (ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService (ContextManager.java:812) at org.apache.tomcat.core.ContextManager.service (ContextManager.java:758) at org.apache.tomcat.service.connector.Ajp12ConnectionHandler.p rocessConnection(Ajp12ConnectionHandler.java:166) at org.apache.tomcat.service.TcpWorkerThread.runIt (PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run (ThreadPool.java:501) at java.lang.Thread.run(Thread.java:484) C) Requesting any of the following urls :- http://webserver/test/jsp/buffer1.jsp http://webserver/test/jsp/buffer2.jsp http://webserver/test/jsp/buffer3.jsp http://webserver/test/jsp/buffer4.jsp Error: 500 Location: /test/jsp/buffer1.jsp Internal Servlet Error: org.apache.jasper.compiler.CompileException: /"WEBROOT"/test /jsp/buffer1.jsp(3,0) Page directive: invalid value for buffer at org.apache.jasper.compiler.JspParseEventListener$BufferHandl er.handlePageDirectiveAttribute (JspParseEventListener.java:490) at org.apache.jasper.compiler.JspParseEventListener.handleDirec tive(JspParseEventListener.java:690) at org.apache.jasper.compiler.DelegatingListener.handleDirectiv e(DelegatingListener.java:116) at org.apache.jasper.compiler.Parser$Directive.accept (Parser.java:215) at org.apache.jasper.compiler.Parser.parse (Parser.java:1077) at org.apache.jasper.compiler.Parser.parse (Parser.java:1042) at org.apache.jasper.compiler.Parser.parse (Parser.java:1038) at org.apache.jasper.compiler.Compiler.compile (Compiler.java:209) at org.apache.jasper.servlet.JspServlet.doLoadJSP (JspServlet.java:612) at org.apache.jasper.servlet.JasperLoader12.loadJSP (JasperLoader12.java:146) at org.apache.jasper.servlet.JspServlet.loadJSP (JspServlet.java:542) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadI fNecessary(JspServlet.java:258) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.servi ce(JspServlet.java:268) at org.apache.jasper.servlet.JspServlet.serviceJspFile (JspServlet.java:429) at org.apache.jasper.servlet.JspServlet.service (JspServlet.java:500) at javax.servlet.http.HttpServlet.service (HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService (ServletWrapper.java:405) at org.apache.tomcat.core.Handler.service (Handler.java:287) at org.apache.tomcat.core.ServletWrapper.service (ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService (ContextManager.java:812) at org.apache.tomcat.core.ContextManager.service (ContextManager.java:758) at org.apache.tomcat.service.connector.Ajp12ConnectionHandler.p rocessConnection(Ajp12ConnectionHandler.java:166) at org.apache.tomcat.service.TcpWorkerThread.runIt (PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run (ThreadPool.java:501) at java.lang.Thread.run(Thread.java:484) D) Requesting any of the following urls :- http://webserver/test/jsp/comments.jsp Error: 500 Location: /test/jsp/comments.jsp Internal Servlet Error: org.apache.jasper.JasperException: Unable to compile class for JSP/"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fcomments_0002ejspcomments_jsp_0.java:2 0: Identifier expected. int; ^ /"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fcomments_0002ejspcomments_jsp_0.java:7 2: '}' expected. out.write("\n\n "); ^ /"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fcomments_0002ejspcomments_jsp_0.java:7 6: Comment not terminated at end of input. /* ^ 3 errors at org.apache.jasper.compiler.Compiler.compile (Compiler.java:282) at org.apache.jasper.servlet.JspServlet.doLoadJSP (JspServlet.java:612) at org.apache.jasper.servlet.JasperLoader12.loadJSP (JasperLoader12.java:146) at org.apache.jasper.servlet.JspServlet.loadJSP (JspServlet.java:542) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadI fNecessary(JspServlet.java:258) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.servi ce(JspServlet.java:268) at org.apache.jasper.servlet.JspServlet.serviceJspFile (JspServlet.java:429) at org.apache.jasper.servlet.JspServlet.service (JspServlet.java:500) at javax.servlet.http.HttpServlet.service (HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService (ServletWrapper.java:405) at org.apache.tomcat.core.Handler.service (Handler.java:287) at org.apache.tomcat.core.ServletWrapper.service (ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService (ContextManager.java:812) at org.apache.tomcat.core.ContextManager.service (ContextManager.java:758) at org.apache.tomcat.service.connector.Ajp12ConnectionHandler.p rocessConnection(Ajp12ConnectionHandler.java:166) at org.apache.tomcat.service.TcpWorkerThread.runIt (PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run (ThreadPool.java:501) at java.lang.Thread.run(Thread.java:484) E) Requesting any of the following urls :- extends1.jsp Internal Servlet Error: org.apache.jasper.JasperException: Unable to compile class for JSPNote: sun.tools.javac.Main has been deprecated. "WEBROOT"/work/localhost_8080% 2Ftest/_0002fjsp_0002fextends_00031_0002ejspextends1_jsp_0.j ava:49: Incompatible type for method. Explicit cast needed to convert jsp._0002fjsp_0002fextends_00031_0002ejspextends1_jsp_0 to javax.servlet.Servlet. pageContext = _jspxFactory.getPageContext(this, request, response, ^ 1 error, 1 warning at org.apache.jasper.compiler.Compiler.compile (Compiler.java:282) at org.apache.jasper.servlet.JspServlet.doLoadJSP (JspServlet.java:612) at org.apache.jasper.servlet.JasperLoader12.loadJSP (JasperLoader12.java:146) at org.apache.jasper.servlet.JspServlet.loadJSP (JspServlet.java:542) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadI fNecessary(JspServlet.java:258) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.servi ce(JspServlet.java:268) at org.apache.jasper.servlet.JspServlet.serviceJspFile (JspServlet.java:429) at org.apache.jasper.servlet.JspServlet.service (JspServlet.java:500) at javax.servlet.http.HttpServlet.service (HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService (ServletWrapper.java:405) at org.apache.tomcat.core.Handler.service (Handler.java:287) at org.apache.tomcat.core.ServletWrapper.service (ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService (ContextManager.java:806) at org.apache.tomcat.core.ContextManager.service (ContextManager.java:752) at org.apache.tomcat.service.http.HttpConnectionHandler.process Connection(HttpConnectionHandler.java:213) at org.apache.tomcat.service.TcpWorkerThread.runIt (PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run (ThreadPool.java:501) at java.lang.Thread.run(Thread.java:536) extends2.jsp Internal Servlet Error: org.apache.jasper.JasperException: Unable to compile class for JSPNote: sun.tools.javac.Main has been deprecated. /"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fextends_00032_0002ejspextends2_jsp_0.j ava:50: Incompatible type for method. Explicit cast needed to convert jsp._0002fjsp_0002fextends_00032_0002ejspextends2_jsp_0 to javax.servlet.Servlet. pageContext = _jspxFactory.getPageContext(this, request, response, ^ 1 error, 1 warning at org.apache.jasper.compiler.Compiler.compile (Compiler.java:282) at org.apache.jasper.servlet.JspServlet.doLoadJSP (JspServlet.java:612) at org.apache.jasper.servlet.JasperLoader12.loadJSP (JasperLoader12.java:146) at org.apache.jasper.servlet.JspServlet.loadJSP (JspServlet.java:542) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadI fNecessary(JspServlet.java:258) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.servi ce(JspServlet.java:268) at org.apache.jasper.servlet.JspServlet.serviceJspFile (JspServlet.java:429) at org.apache.jasper.servlet.JspServlet.service (JspServlet.java:500) at javax.servlet.http.HttpServlet.service (HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService (ServletWrapper.java:405) at org.apache.tomcat.core.Handler.service (Handler.java:287) at org.apache.tomcat.core.ServletWrapper.service (ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService (ContextManager.java:806) at org.apache.tomcat.core.ContextManager.service (ContextManager.java:752) at org.apache.tomcat.service.http.HttpConnectionHandler.process Connection(HttpConnectionHandler.java:213) at org.apache.tomcat.service.TcpWorkerThread.runIt (PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run (ThreadPool.java:501) at java.lang.Thread.run(Thread.java:536) F) Requesting any of the following urls :- http://webserver/test/jsp/pageAutoFlush.jsp http://webserver/test/jsp/pageDouble.jsp http://webserver/test/jsp/pageExtends.jsp http://webserver/test/jsp/pageImport2.jsp http://webserver/test/jsp/pageInfo.jsp Internal Servlet Error: org.apache.jasper.JasperException: Unable to compile class for JSP/"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fpageInfo_0002ejsppageInfo_jsp_0.java:2 1: ';' expected. return " " anything <% ' "; ^ /"WEBROOT"/localhost_8080% 2Ftest/_0002fjsp_0002fpageInfo_0002ejsppageInfo_jsp_0.java:2 1: Invalid character constant. return " " anything <% ' "; http://webserver/test/jsp/pageInvalid.jsp http://webserver/test/jsp/pageIsErrorPage.jsp http://webserver/test/jsp/pageIsThreadSafe.jsp http://webserver/test/jsp/pageLanguage.jsp http://webserver/test/jsp/pageSession.jsp http://webserver/test/jsp/declaration/IntegerOverflow.jsp Solution: Delete the samples directory if not needed Legal: Copyright 2002 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems , if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 13:25:49 PDT