Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Tomcat/JSP Suppport security issue

Discussion in 'Security' started by glottis, Mar 26, 2007.

  1. glottis

    glottis Registered

    Joined:
    Mar 26, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    I have a friend who is giving me web hosting support. I requested him to give my user account Tomcat and servlet hosting support.

    I made a simple JSP file and ran it, and it looks like to me a big security issue. Maybe he (my friend) was not able to configure the support properly.

    Can some one help me out on how to properly secure the Tomcat/Servlet support so that one user cannot access other users files.

    Regards,

    PHP:
    <html>
        <
    head>
            <
    title>A Simple JSP Page</title>
        </
    head>
        <
    body>
        <
    pre>
        
    The current date is <%= new java.util.Date() %>
        </
    pre>
        <
    pre>
        
    The current working dir is <%= System.getProperty("user.dir") %>
        </
    pre>
        
    My home directory is /home/<myusername>
        <
    pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/home/<myusername>"), true0) %>
        </
    pre>
        
    My document root directory is /home/<myusername>/public_html (i know that)
        <
    pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/home/<myusername>/public_html"), true0) %>
        </
    pre>
        
    My other document root directory is /home/<otherusername>/public_html
        
    <pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/home/<otherusername>/public_html"), true0) %>
        </
    pre>
        
    Linux root directory is /
        <
    pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/"), true0) %>
        </
    pre>
        </
    body>
    </
    html>

    <%!
    public static 
    String process(java.io.File dirint index) {
        
    String s "";
        for (
    int i=0i<indexi++) {
            
    += "  ";
        }
        if (
    dir == null) {
            
    += "{null}\n";
        } else {
            if (
    dir.isDirectory()) {
               
    += "[" dir "]";
            } else {
               
    += "" dir "";
            }
           if (
    dir.canRead()) {
               
    += " ~ readable";
           } else {
               
    += " ~ NOT readable";
           }
           if (
    dir.canWrite()) {
               
    += " ~ writable";
           } else {
               
    += " ~ NOT writable";
           }
           
    += "\n";
        }
        return 
    s;
    }

    public static 
    String visitAllDirsAndFiles(java.io.File dirboolean subint index) {
        
    String s process(dirindex);
        if (!
    sub) {
          
    sub = (index 1);
        }
        if (
    dir == null) {
            
    // do nothing.
        
    } else {
            if (
    dir.isDirectory()) {
                if (
    sub) {
                    
    String[] children dir.list();
                    if (
    children != null) {
                        
    += children.length " children(s)\n";
                        for (
    int i=0i<children.lengthi++) {
                            
    += visitAllDirsAndFiles(new java.io.File(dirchildren[i]), falseindex+1);
                        }
                    } else {
                        
    += "<null>\n";
                    }
                }
            }
        }
        
        return 
    s;
    }
    %>
     
  2. glottis

    glottis Registered

    Joined:
    Mar 26, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    bump ...
    any help appreciated ...
     
  3. appservermgr

    appservermgr Member

    Joined:
    Feb 16, 2007
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    151
    That is probably an inherent problem with the Default java support as it uses a shared
    JVM. You may want to consider a Java Hosting tool such as NGASI AppServer Manager,
    which runs user applications in separate JVMS and in separate Application Servers.
    Check out http://www.ngasi.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice