This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes JSP and the fly likes Jsp Source Code Disclosure Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Jsp Source Code Disclosure" Watch "Jsp Source Code Disclosure" New topic
Author

Jsp Source Code Disclosure

Goldie Fernandes
Greenhorn

Joined: Mar 22, 2002
Posts: 3
Was going thro some security sites and realized that it is possible to obtain the source of a JSp page.
It is said that in some tomcat implementations instead of the trailing "p" in .jsp if u use "%70" (the char for 'p') the server incorrectly recognizes this as a request for a non .jsp file and pumps out the file onto the client. I tried the above in tomcat 3.3 on a WinMe platform and a SunSolaris ver 5 platform, and it DINT show the source code.
The above is described at http://www.jadcentral.com/newscentral/feature.jsp?feature_ID=23
What i was worried about is that, i had passwords to the Mysql database in the .jsp file(s) itself. after reading this security issue, i have since removed it from the file(s).
Are there any other ways by which one may view the source of a .jsp file?


Web and Database Designer for the Factoids Program<br />Computing and Media Services<br />Syracuse University
Anthony Villanueva
Ranch Hand

Joined: Mar 22, 2002
Posts: 1055
Hi,
I suppose these bugs are server-dependent so I would suggest you precompile your JSPs before deploying them to your production server.
-anthony
Michael Yuan
author
Ranch Hand

Joined: Mar 07, 2002
Posts: 1427
You should not have database passwords hardcoded in JSP pages. You can make the password embeded in database access JavaBeans, which are compiled and located under WEB-INF/ (not accessible from the web server).
You should also configure your database so that it only accepts connection with that password from your trusted server domains.


Seam Framework: http://www.amazon.com/exec/obidos/ASIN/0137129394/mobileenterpr-20/
Ringful: http://www.ringful.com/
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

"Goldie TheDude",
The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at http://www.javaranch.com/name.jsp.
We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Please edit your profile and select a new name which meets the requirements.
Thanks.
Dave
Guy Allard
Ranch Hand

Joined: Nov 24, 2000
Posts: 776
1) How to distribute .class files only for JSPs is explained quite clearly in the JSP pecs, Appendix A.
2) That does not address your problem with passwords. Coded 'in clear' in the .jsp, they will also be in clear in the generated .java and the .class files.
3) I think you have a design problem.
Regards, Guy
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Jsp Source Code Disclosure
 
Similar Threads
JS ERROR: missing formal parameter
Exception when turning Security Manager on
applet not loading
Multicasting for RMI
JNLP error