The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomcat/JSP Suppport security issue

Discussion in 'Security' started by glottis, Mar 26, 2007.

  1. glottis

    glottis Registered

    Joined:
    Mar 26, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I have a friend who is giving me web hosting support. I requested him to give my user account Tomcat and servlet hosting support.

    I made a simple JSP file and ran it, and it looks like to me a big security issue. Maybe he (my friend) was not able to configure the support properly.

    Can some one help me out on how to properly secure the Tomcat/Servlet support so that one user cannot access other users files.

    Regards,

    PHP:
    <html>
        <
    head>
            <
    title>A Simple JSP Page</title>
        </
    head>
        <
    body>
        <
    pre>
        
    The current date is <%= new java.util.Date() %>
        </
    pre>
        <
    pre>
        
    The current working dir is <%= System.getProperty("user.dir") %>
        </
    pre>
        
    My home directory is /home/<myusername>
        <
    pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/home/<myusername>"), true0) %>
        </
    pre>
        
    My document root directory is /home/<myusername>/public_html (i know that)
        <
    pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/home/<myusername>/public_html"), true0) %>
        </
    pre>
        
    My other document root directory is /home/<otherusername>/public_html
        
    <pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/home/<otherusername>/public_html"), true0) %>
        </
    pre>
        
    Linux root directory is /
        <
    pre>
        <%= 
    visitAllDirsAndFiles(new java.io.File("/"), true0) %>
        </
    pre>
        </
    body>
    </
    html>

    <%!
    public static 
    String process(java.io.File dirint index) {
        
    String s "";
        for (
    int i=0i<indexi++) {
            
    += "  ";
        }
        if (
    dir == null) {
            
    += "{null}\n";
        } else {
            if (
    dir.isDirectory()) {
               
    += "[" dir "]";
            } else {
               
    += "" dir "";
            }
           if (
    dir.canRead()) {
               
    += " ~ readable";
           } else {
               
    += " ~ NOT readable";
           }
           if (
    dir.canWrite()) {
               
    += " ~ writable";
           } else {
               
    += " ~ NOT writable";
           }
           
    += "\n";
        }
        return 
    s;
    }

    public static 
    String visitAllDirsAndFiles(java.io.File dirboolean subint index) {
        
    String s process(dirindex);
        if (!
    sub) {
          
    sub = (index 1);
        }
        if (
    dir == null) {
            
    // do nothing.
        
    } else {
            if (
    dir.isDirectory()) {
                if (
    sub) {
                    
    String[] children dir.list();
                    if (
    children != null) {
                        
    += children.length " children(s)\n";
                        for (
    int i=0i<children.lengthi++) {
                            
    += visitAllDirsAndFiles(new java.io.File(dirchildren[i]), falseindex+1);
                        }
                    } else {
                        
    += "<null>\n";
                    }
                }
            }
        }
        
        return 
    s;
    }
    %>
     
  2. glottis

    glottis Registered

    Joined:
    Mar 26, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    bump ...
    any help appreciated ...
     
  3. appservermgr

    appservermgr Member

    Joined:
    Feb 16, 2007
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    That is probably an inherent problem with the Default java support as it uses a shared
    JVM. You may want to consider a Java Hosting tool such as NGASI AppServer Manager,
    which runs user applications in separate JVMS and in separate Application Servers.
    Check out http://www.ngasi.com
     
Loading...
Similar Threads - Tomcat JSP Suppport
  1. 000
    Replies:
    1
    Views:
    182

Share This Page