What are Tomcat vulnerabilities?
Tomcat 3.1 exposed website Path Problems
Tomcat 3.1 is a software developed in the Apache software environment that supports JSP 1.1 and Servlets 2.2. It has a security problem. When a non-existent jsp request is sent, the full path of the web page on the website is exposed.
Example:
Http://narco.guerrilla.sucks.co: 8080/anything. jsp
Result:
Error: 404
Location:/anything. jsp
JSP file "/javasrv2/jakarta-tomcat/webapps/ROOT/anything. jsp" not found
Solution: upgrade to the latest version.
Tomcat exposes JSP file content
Java Server Pages (JSP) files are of the & acute ;. jsp & acute; the extension is registered on Tomcat. Tomcat is case sensitive to file names. & acute ;. jsp & acute; and & acute ;. JSP & acute; is different types of file extensions. If & acute ;. JSP & acute; is linked to Tomcat, while Tomcat cannot find & acute ;. JSP & acute; the default & acute ;. text & acute; file type to respond to requests. In the NT system, large and lowercase file names are non-sensitive, so the requested file will be sent as text.
If the error message "file not found" is displayed on the UNIX server.
How to implement code protection for Tomcat in windows
Some versions of Tomcat have the source code leakage vulnerability. If you change the file suffix to uppercase when calling the JSP page in a browser, the source code of this JSP file will be completely output to the browser (maybe there is nothing in the browser window, you only need to view the HTML source file to find it ). In this way, will the source code of the website be exposed on the Internet?
Don't worry, the solution is very simple. You can write all the combinations of various suffixes to atat_homeconf web. xml. In this way, Tomcat will treat JSP with different extension names separately and the code will not be leaked.
Jsp
*. Jsp
JsP
*. JsP
? Lt; servlet-name> jSp
*. JSp
JSP
*. JSP
Jsp
*. Jsp
JsP
*. JsP
JSp
*. JSp
JSP
*. JSP
What are the Allair Jrun vulnerabilities?
Illegal WEB-INF read vulnerability in Allair JRUN
A serious security vulnerability exists in Allaire JRUN Server 2.3. It allows an attacker to view the WEB-INF directory on the JRun 3.0 server.
If a user makes a URL malformed by appending a "/" when submitting a URL request, all subdirectories under the WEB-INF will be exposed. Attackers can exploit this vulnerability to gain remote access to all files in the WEB-INF Directory of the target host system.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
