Tomcat/JSP Suppport security issue

G

glottis

Registered
Mar 26, 2007
2
0
151
I have a friend who is giving me web hosting support. I requested him to give my user account Tomcat and servlet hosting support.

I made a simple JSP file and ran it, and it looks like to me a big security issue. Maybe he (my friend) was not able to configure the support properly.

Can some one help me out on how to properly secure the Tomcat/Servlet support so that one user cannot access other users files.

Regards,

PHP: 
<html>
    <head>
        <title>A Simple JSP Page</title>
    </head>
    <body>
    <pre>
    The current date is <%= new java.util.Date() %>
    </pre>
    <pre>
    The current working dir is <%= System.getProperty("user.dir") %>
    </pre>
    My home directory is /home/<myusername>
    <pre>
    <%= visitAllDirsAndFiles(new java.io.File("/home/<myusername>"), true, 0) %>
    </pre>
    My document root directory is /home/<myusername>/public_html (i know that)
    <pre>
    <%= visitAllDirsAndFiles(new java.io.File("/home/<myusername>/public_html"), true, 0) %>
    </pre>
    My other document root directory is /home/<otherusername>/public_html
    <pre>
    <%= visitAllDirsAndFiles(new java.io.File("/home/<otherusername>/public_html"), true, 0) %>
    </pre>
    Linux root directory is /
    <pre>
    <%= visitAllDirsAndFiles(new java.io.File("/"), true, 0) %>
    </pre>
    </body>
</html>

<%!
public static String process(java.io.File dir, int index) {
    String s = "";
    for (int i=0; i<index; i++) {
        s += "  ";
    }
    if (dir == null) {
        s += "{null}\n";
    } else {
        if (dir.isDirectory()) {
           s += "[" + dir + "]";
        } else {
           s += "" + dir + "";
        }
       if (dir.canRead()) {
           s += " ~ readable";
       } else {
           s += " ~ NOT readable";
       }
       if (dir.canWrite()) {
           s += " ~ writable";
       } else {
           s += " ~ NOT writable";
       }
       s += "\n";
    }
    return s;
}

public static String visitAllDirsAndFiles(java.io.File dir, boolean sub, int index) {
    String s = process(dir, index);
    if (!sub) {
      sub = (index < 1);
    }
    if (dir == null) {
        // do nothing.
    } else {
        if (dir.isDirectory()) {
            if (sub) {
                String[] children = dir.list();
                if (children != null) {
                    s += children.length + " children(s)\n";
                    for (int i=0; i<children.length; i++) {
                        s += visitAllDirsAndFiles(new java.io.File(dir, children[i]), false, index+1);
                    }
                } else {
                    s += "<null>\n";
                }
            }
        }
    }
    
    return s;
}
%>
 
A

appservermgr

Member
Feb 16, 2007
20
0
151
That is probably an inherent problem with the Default java support as it uses a shared
JVM. You may want to consider a Java Hosting tool such as NGASI AppServer Manager,
which runs user applications in separate JVMS and in separate Application Servers.
Check out http://www.ngasi.com
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
000 LOGS of TOMCAT into /home of each user, is possible? Security 1
X TomCat default password / Ganib installation Security 5
chrismfz Tomcat user manager access Security 3
Y How to Bind Tomcat on port 80 Security 3
N Tomcat Ports Security 3
Similar threads
LOGS of TOMCAT into /home of each user, is possible?
TomCat default password / Ganib installation
Tomcat user manager access
How to Bind Tomcat on port 80
Tomcat Ports
Top Bottom