Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Jsp Source Code Disclosure

 
Goldie Fernandes
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Was going thro some security sites and realized that it is possible to obtain the source of a JSp page.
It is said that in some tomcat implementations instead of the trailing "p" in .jsp if u use "%70" (the char for 'p') the server incorrectly recognizes this as a request for a non .jsp file and pumps out the file onto the client. I tried the above in tomcat 3.3 on a WinMe platform and a SunSolaris ver 5 platform, and it DINT show the source code.
The above is described at http://www.jadcentral.com/newscentral/feature.jsp?feature_ID=23
What i was worried about is that, i had passwords to the Mysql database in the .jsp file(s) itself. after reading this security issue, i have since removed it from the file(s).
Are there any other ways by which one may view the source of a .jsp file?
 
Anthony Villanueva
Ranch Hand
Posts: 1055
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I suppose these bugs are server-dependent so I would suggest you precompile your JSPs before deploying them to your production server.
-anthony
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should not have database passwords hardcoded in JSP pages. You can make the password embeded in database access JavaBeans, which are compiled and located under WEB-INF/ (not accessible from the web server).
You should also configure your database so that it only accepts connection with that password from your trusted server domains.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Goldie TheDude",
The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at http://www.javaranch.com/name.jsp.
We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Please edit your profile and select a new name which meets the requirements.
Thanks.
Dave
 
Guy Allard
Ranch Hand
Posts: 776
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1) How to distribute .class files only for JSPs is explained quite clearly in the JSP pecs, Appendix A.
2) That does not address your problem with passwords. Coded 'in clear' in the .jsp, they will also be in clear in the generated .java and the .class files.
3) I think you have a design problem.
Regards, Guy
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic