TUCoPS :: Windows Apps :: win5361.htm

NewAtlanta ServletExec multiple vulnerabilities
23th May 2002 [SBWID-5361]
COMMAND

	NewAtlanta ServletExec multiple vulnerabilities

SYSTEMS AFFECTED

	ServletExec 4.1 ISAPI / IIS 4 & 5

PROBLEM

	In  Matt  Moore  [matt@Westpoint.ltd.uk]   [http://www.westpoint.ltd.uk]
	advisory [wp-02-0006] :
	

	 1. ServletExec discloses physical path of webroot

	 =================================================

	

	It       is       possible       to       invoke        the        class
	\'com.newatlanta.servletexec.JSP10Servlet\'  directly  by  requesting  a
	url such as:
	

	/servlet/com.newatlanta.servletexec.JSP10Servlet/

	

	If no filename is supplied to it, then it returns an error message:
	

	Error. The file was not found. (filename = f:\\inetpub\\wwwroot\\servlet\\com.newatlanta.servletexec.JSP10Servlet\\)

	

	disclosing the physical path of the web root.
	

	 2. JSP10Servlet allows files to be read from within IIS webroot

	 ===============================================================

	

	By invoking the  JSP10Servlet  (or  simply  JSPServlet)  using  the  URL
	described above, it is possible to read files from within the web  root.
	It did not appear to be possible to \'break out\' of the  web  root  and
	read files from other parts of the file system. The  path  must  be  URL
	encoded for this to work. For instance, a request such as
	

	/servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5c\\global.asa

	

	will retrieve the global.asa file, which is normally not served.
	

	 3. DoS via overly long request for .JSP file

	 ============================================

	

	By making a request  for  an  overly  long  named  .jsp  file,  Internet
	Information Server can be crashed.
	

	The denial of service condition can be triggered  by  either  requesting
	an overly long named .jsp file:
	

	i.e. /servlet/AAAAAAAAAAAAAAA....AAAAAAAAAAAAAA.jsp

	

	or by invoking the JSPServlet or JSP10Servlet directly:
	

	or/servlet/com.newatlanta.servletexec.JSPServlet/AAAAAAAA....AAAA

	

SOLUTION

	There is a workaround  for  the  physical  path  disclosure  bug,  which
	should be in the FAQ\'s at :
	

	http://www.newatlanta.com/products/servletexec/self_help/faq_list.jsp

	

	The other issues are fixed in Patch #9 from :
	

	ftp://ftp.newatlanta.com/public/4_1/patches/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH