20th Feb 2002 [SBWID-5114]
COMMAND
gnujsp is vulnerable to directorylisting, scriptsource disclosure and
httpd-restrictions bypass
SYSTEMS AFFECTED
current version
PROBLEM
Thomas Springer found following :
Requesting
http://site/servlets/gnujsp/[dirname]/[file]
on a site running gnujsp, reveals directory-listing of any webdir
including wwwroot, it also reveals the script-source of certain (not
all!) script-types, depending on webserver-config.
Wrapping the url with /servlets/gnujsp/ bypasses
directory/file-restrictions in http.conf or .htaccess, files and
directory-structures can be displayed along with the .htaccess-file.
Very few sites running gnujsp seem to be partially or complete immune
to this behaviour, most are vulnerable. The /servlets/gnujsp/ is easy
to guess, it appears in many error-messages.
I don\'t know enough about gnujsp to provide a solution - but it seems
to be kind of a configuration flaw in standard-config of gnujsp. I only
tested on apache - maybe other servers with gnujsp installed are
vulnerable too.
Update
======
Stefan Gybas added following :
The actual hole is in JServ (a servlet engine for which GNUJSP was
mainly written) since it sets the servlet PathInfo to [dirname]/[file]
in the above example. The GNUJSP servlet then incorrectly assumes that
the request was made to \"http://site/[dirname]/[file]\".
SOLUTION
Stefan Gybas proposed :
There\'s a \"denyuri\" configuration option for GNUJSP but this is not
a good fix since
1. The same GNUJSP servlet can be called with multiple URIs (e.g.
/servlets/gnujsp and /servlet/gnujsp)
2. It does not seem to work with GNUJSP 1.0.0 and JServ at all when
there are servlet aliases
A more secure solution is the attached patch for GNUJSP 1.0.0 and 1.0.1
which forbids all direct requests to the GNUJSP servlet. Only files
which are mapped to the GNUJSP servlet (in most cases *.jsp) can be
accessed then.
------------ filename=\"gnujsp-1.0.0.patch\"
diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java Mon Oct 18 19:28:52 1999
+++ src/org/gjt/jsp/JspServlet.java Wed Feb 20 16:09:27 2002
@@ -262,6 +262,12 @@
*/
}
+ // Security check: Deny the request if the path is appended to
+ // the servlet URI -- gybas@trustsec.de
+ if (request.getRequestURI().startsWith(request.getServletPath())) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ }
+
String jspURI = requestToJspURI (request);
if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
------------- filename=\"gnujsp-1.0.1.patch\"
Only in src: DIFF
diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java Thu Oct 5 09:28:00 2000
+++ src/org/gjt/jsp/JspServlet.java Wed Feb 20 16:41:16 2002
@@ -598,6 +598,12 @@
String jspURI)
throws IOException, ServletException
{
+ // Security check: Deny the request if the path is appended to
+ // the servlet URI -- gybas@trustsec.de
+ if (request.getRequestURI().startsWith(request.getServletPath())) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ }
+
// Deny requests beginning with denyURI, if specified.
if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
