6 Replies Latest reply on Mar 28, 2005 12:32 PM by panuv

    Security Threat

    panuv
    panuv Mar 23, 2005 5:00 PM

      ON JBOSS 4.0.1 if I enter the URL:

      http://myhost/web-inf/web.xml


      it works pretty much like it should, reporting a 404.
      However, if I add a period inside the URL as follows: 

      http://myhost/web-inf./web.xml


      the browser now shows me the contents of the file 'web.xml' !

      This to me seems to a pretty Serious Security Threat. It works this way for my other webapps too, showing their configuration file to anyone who knows about this trick. For instance: 

      http://myhost/myWebAppweb-inf./web.xml


      What's the best way to hide the contents of these web.xml files?
      Are there other known exploits with '.' in jboss/tomcat URLs, to display files whose content should be hidden from end-users?

      Thanks
      -panuv



      • 3677 Views
      • Tags:
        • 1. Re: Security Threat
          jiwils
          jiwils Mar 24, 2005 2:37 PM (in response to panuv)

          Hmmm...in 4.0.1sp1 I can not replicate that behavior.

            • Actions
          • 2. Re: Security Threat
            panuv
            panuv Mar 24, 2005 3:49 PM (in response to panuv)

            Your configuration is probably different from mine, so here's some more info ... The url:

            http://localhost/web-inf./web.xml

            on my windows machine displays the contents of the file: 
            server\default\deploy\jbossweb-tomcat50.sar\ROOT.war\WEB-INF\web.xml

            If you dont't have the file on your system, naturally it wouldn't show.

            Also, I'm running Tomcat in capital-insensitive mode.

            If the problem is solved in SP1 that would be great. There should be no way for hackers to look inside our WEB-INFs.

            Thanks
            -panuv


              • Actions
            • 3. Re: Security Threat
              starksm64
              starksm64 Mar 24, 2005 4:56 PM (in response to panuv)

              From the tomcat caseSensitive attribute configuration docs:


              If the value of this flag is true, all case sensitivity checks will be disabled. If not specified, the default value of the flag is true.

              NOTE: This flag MUST NOT be set to false on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.



                • Actions
              • 4. Re: Security Threat
                panuv
                panuv Mar 24, 2005 5:33 PM (in response to panuv)

                Thanks for the info. This sounds unfortunate, since it means a large body of web-content developed in case-insensitive mode, could not be safely served on JBOSS/Tomcat - each and every hyperlink, and resource-reference, some dynamically generated, might stop working (because their case may now be wrong).

                I wonder though, could case-sensitivity be the cause for the '.' -problem in my URL?

                I looked at:
                http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/resources.html and all it says about this attribute is:

                This boolean flag toggles case sensitivity for resources on the Windows platform. Defaults to true.


                Could you give us a link to the other piece of documentation you mention?
                Thanks
                -panuv


                  • Actions
                • 5. Re: Security Threat
                  starksm64
                  starksm64 Mar 24, 2005 7:37 PM (in response to panuv)

                  http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html

                    • Actions
                  • 6. Re: Security Threat
                    panuv
                    panuv Mar 28, 2005 12:32 PM (in response to panuv)

                    Thanks for the link. It seems the 'caseSensitive' -attribute can be set in two different places. One is within the CONTEXT element, as described in: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html

                    The other is within the RESOURCES element, as documented in: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/resources.html

                    Only within the documentation for CONTEXT does it state that

                    "This flag MUST NOT be set to false on the Windows"
                    . The 2nd link on the other hand says:
                    "This boolean flag toggles case sensitivity for resources on the Windows platform. Defaults to true"
                    .

                    So the 2nd link would seem to say that the purpose of this attribute (within the RESOURCES section) is precisely to alter case-sensitivityon Windows, when needed! It seems the only reason to use it would be if you're running Windows.

                    This leaves me perplexed. If anybody knows of a test for checking whether this JSP vulnerability exists or not, on a given installation, I would be most greatful to learn about it. Maybe there's a way to guard against it too, by configuring the URL-patterns appropriately, etc.?

                    Thanks
                    -panuv



                      • Actions