我们在 tomcat 6.0 中部署了一个 Web 应用程序,当我们请求 URL 时,我们在日志文件中收到以下错误。你能帮我找出错误
SEVERE: Servlet.service() for servlet jsp threw exception
javax.servlet.jsp.JspTagException: Invalid JSP file %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf
at examples.ShowSource.doEndTag(ShowSource.java:41)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:87)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
最佳答案
这与 this NetWare 6.0 specific expolit 相关.
112119 : Novell NetWare 6.0 Tomcat Source.jsp Traversal Arbitrary File Access
Risk 4 : Netware
The Apache Tomcat server distributed with NetWare 6.0 has a directory traversal vulnerability. As a result, sensitive information could be obtained from the NetWare server, such as the RCONSOLE password located in AUTOEXEC.NCF.
Example :
http://target/examples/jsp/source.jsp?%2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncfSolution:
Upgrade Tomcat to the latest version, or disable the service if it is not required. Remove default files from the web server. Also, ensure the RCONSOLE password is encrypted and utilize a password protected screensaver for console access.
References:
CVSS Information:
Low Attack Complexity, Complete Confidentiality Impact
Credit:
Tenable : 2009-12-04
修补您的服务器。
关于javax.servlet.jsp.JspTagException : Invalid JSP file %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec. ncf,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13291418/