TUCoPS :: Web :: Servers :: web4847.htm

IBM httpd - show page source
9th Nov 2001 [SBWID-4847]
COMMAND

	httpd

SYSTEMS AFFECTED

	IBM\'s HTTP Server on the AS/400, OS/390 running \'VSE-HTTPD/01.04.00\'

PROBLEM

	ken\'@FTU found following, an attack that will show the source  code  of
	the page -- such as an .html or .jsp page -- by attaching  an  \'/\'  to
	the end of a URL.
	

	Compare these two URL\'s:
	

	

	http://www.foo.com/getsource.jsp

	

	http://www.foo.com/getsource.jsp/

	

	

	The later URL will deliver the jsp source to the browser.
	

	Felix Huber wrote a nessus plugin to detect this vulerability, based  on
	the following test :
	

	

	----------------------------------------

	GET /index.html HTTP/1.0

	

	HTTP/1.0 200 OK

	Server: IBM-HTTP-Server/1.0

	....

	Content-Type: text/html

	----------------------------------------

	

	----------------------------------------

	GET /index.html/ HTTP/1.0

	

	

	HTTP/1.0 200 OK

	Server: IBM-HTTP-Server/1.0

	....

	Content-Type: www/unknown <------- here

	----------------------------------------

	

	

	Here is the Nessus Plugin ibm_server_code.nasl :
	

	

	s script was written by Felix Huber <huberfelix@webtopia.de>

	#

	# v. 1.00 (last update 08.11.01)

	

	if(description)

	{

	 script_id(?????????);

	 name[\"english\"] = \"IBM-HTTP-Server View Code\";

	 script_name(english:name[\"english\"]);

	

	 desc[\"english\"] = \"

	IBM\'s HTTP Server on the AS/400 platform is vulnerable to an attack

	that will show the source code of the page -- such as an .html or .jsp

	page -- by attaching an \'/\' to the end of a URL.

	

	Example:

	http://www.foo.com/getsource.jsp/

	

	Solution :  Not yet

	

	

	Risk factor : High\";

	

	

	 script_description(english:desc[\"english\"]);

	

	 summary[\"english\"] = \"IBM-HTTP-Server View Code\";

	

	 script_summary(english:summary[\"english\"]);

	

	 script_category(ACT_GATHER_INFO);

	

	

	 script_copyright(english:\"This script is Copyright (C) 2001 Felix Huber\");

	 family[\"english\"] = \"CGI abuses\";

	 script_family(english:family[\"english\"]);

	 script_dependencie(\"find_service.nes\");

	 script_dependencie(\"httpver.nasl\");

	 script_require_ports(\"Services/www\", 80);

	 exit(0);

	}

	

	#

	# The script code starts here

	#

	

	port = get_kb_item(\"Services/www\");

	if(!port)port = 80;

	

	dir[0] = \"/index.html\";

	dir[1] = \"/index.htm\";

	dir[2] = \"/index.jsp\";

	dir[3] = \"/default.html\";

	dir[4] = \"/default.htm\";

	dir[5] = \"/default.jsp\";

	dir[6] = \"/home.html\";

	dir[7] = \"/home.htm\";

	dir[8] = \"/home.jsp\";

	

	if(get_port_state(port))

	{

	

	 for (i = 0; dir[i] ; i = i + 1)

	 {

	

	

	

	     soc = http_open_socket(port);

	

	     if(soc)

	

	     {

	        url = string(dir[i], \"/\");

	

	

	        req = http_get(item:url, port:port);

	        send(socket:soc, data:req);

	        r = recv(socket:soc, length:409600);

	        close(soc);

	

	     #display(r);

	

	     if(\"Server: IBM-HTTP-Server/1.0\" >< r)

	              {

	                if(\"Content-Type: www/unknown\" >< r)

	                    {

	                      #security_hole(port);

	                      display(\"Security Hole detected\\n\");

	                      exit(0);

	                    }

	              }

	

	     }

	 }

	}

	

	

	 Update

	 ======

	

	Mike Turk added :
	

	It is possible through HTTP server  and  servlet  engine  configurations
	that HTML and/or JSP source could be view at the browser.
	 

	 HTTP Server :

	There are configuration settings that could be  made  where  JSP  source
	could be displayed in the browser, such as placing JSPs in the  document
	root of the HTTP server. Also, in regards to html pages, if  you  use  a
	PASS directive that allow  all  file  types  to  be  served  (e.g.  Pass
	/MYsamples/*  /QIBM/UserData/MyHtml/*)  then  you  could  see  the  HTML
	source.  If  the  directive  is  qualified  by  file  type  (e.g.   Pass
	/MYsamples/*.html /QIBM/UserData/MyHtml/*) you can prevent  the  request
	ending with \'/\' from being serviced.
	 

	 Servlet Engine: 

	The  problem  description  does  not  mention  what  Servlet  engine/JSP
	processor that is being used. If it is WebSphere, if  you  have  a  file
	serving servlet in your web application, it  will  try  to  service  the
	request for http://www.foo.com/getsource.jsp/.  Like  the  PASS  example
	above, if you limit the types of requests to be  served  my  the  simple
	file servlet by file  type,  you  can  prevent  the  source  from  being
	displayed.  To do so:
	 

	1.  select the simple file servlet for the web app.   

	2.  modify the URI in the servlet web path list.  

	     a) start by modifying the existing URI.  It may look something like  

	        default_host/webapp/myapp/ 

	     b) change to something like  default_host/webapp/myapp/*.html 

	3.  Continue adding URIs for other file types (*.gif, etc...) 

	4.  Click Apply 

	5.  Restart the web application 

	

SOLUTION

	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH