-
1. Re: Security Threat
jiwils Mar 24, 2005 2:37 PM (in response to panuv)Hmmm...in 4.0.1sp1 I can not replicate that behavior.
-
2. Re: Security Threat
panuv Mar 24, 2005 3:49 PM (in response to panuv)Your configuration is probably different from mine, so here's some more info ... The url:
http://localhost/web-inf./web.xml
on my windows machine displays the contents of the file:server\default\deploy\jbossweb-tomcat50.sar\ROOT.war\WEB-INF\web.xml
If you dont't have the file on your system, naturally it wouldn't show.
Also, I'm running Tomcat in capital-insensitive mode.
If the problem is solved in SP1 that would be great. There should be no way for hackers to look inside our WEB-INFs.
Thanks
-panuv -
3. Re: Security Threat
starksm64 Mar 24, 2005 4:56 PM (in response to panuv)From the tomcat caseSensitive attribute configuration docs:
If the value of this flag is true, all case sensitivity checks will be disabled. If not specified, the default value of the flag is true.
NOTE: This flag MUST NOT be set to false on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems. -
4. Re: Security Threat
panuv Mar 24, 2005 5:33 PM (in response to panuv)Thanks for the info. This sounds unfortunate, since it means a large body of web-content developed in case-insensitive mode, could not be safely served on JBOSS/Tomcat - each and every hyperlink, and resource-reference, some dynamically generated, might stop working (because their case may now be wrong).
I wonder though, could case-sensitivity be the cause for the '.' -problem in my URL?
I looked at:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/resources.html and all it says about this attribute is:This boolean flag toggles case sensitivity for resources on the Windows platform. Defaults to true.
Could you give us a link to the other piece of documentation you mention?
Thanks
-panuv -
6. Re: Security Threat
panuv Mar 28, 2005 12:32 PM (in response to panuv)Thanks for the link. It seems the 'caseSensitive' -attribute can be set in two different places. One is within the CONTEXT element, as described in: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html
The other is within the RESOURCES element, as documented in: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/resources.html
Only within the documentation for CONTEXT does it state that"This flag MUST NOT be set to false on the Windows"
. The 2nd link on the other hand says:"This boolean flag toggles case sensitivity for resources on the Windows platform. Defaults to true"
.
So the 2nd link would seem to say that the purpose of this attribute (within the RESOURCES section) is precisely to alter case-sensitivityon Windows, when needed! It seems the only reason to use it would be if you're running Windows.
This leaves me perplexed. If anybody knows of a test for checking whether this JSP vulnerability exists or not, on a given installation, I would be most greatful to learn about it. Maybe there's a way to guard against it too, by configuring the URL-patterns appropriately, etc.?
Thanks
-panuv