1st Jul 2002 [SBWID-5499]
COMMAND
j2ee servlet\'s servers \"WEB-INF\" directory remotely accessible
SYSTEMS AFFECTED
Sybase EA Server 4.0 ( www.sybase.com )
OC4J - Oracle Containers for J2EE ( www.oracle.com )
Orion 1.5.3 - ( www.orionserver.com ).
JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun ( www.macromedia.com )
HPAS 8.0 - Hewlett Packard App Server ( www.bluestone.hp.com )
Pramati 3.0 - Pramati App Server ( www.pramati.com )
Jo - Jo Webserver ( http://sourceforge.net/projects/tagtraum-jo/ or
www.tagtraum.de )
PROBLEM
In Matt Moore [matt@westpoint.ltd.uk] of westpoint ltd. advisory
[http://www.westpoint.ltd.uk/advisories/wp-02-0002.txt] :
A web application (\'web app\') is a collection of servlets, Java
Server Pages, HTML docs, images etc etc that are packaged in such a way
that they can be portably deployed on any servlet-enabled web server.
Applications are typically packaged in .WAR files. There is a standard
structure for these files which looks something like:
index.html
blah.jsp
images/on.gif
images/off.gif
WEB-INF/web.xml
WEB-INF/lib/blah.jar
WEB-INF/classes/MyServlet.class
WEB-INF/classes/com/bigco/things/servlet/bigcoWebServlet.class
etc...
This can then be deployed to the application server. The WEB-INF
directory is \'special\'; anything under it is not to be served
directly to web clients as it contains Java class files (for servlets
etc) and configuration information for the web application. Hence, when
an application server receives any requests for /WEB-INF/ it will
usually return a \'403 forbidden\' or even a \'404 Not Found\' HTTP
error.
The web.xml file which resides in WEB-INF is what is called a
\'deployment descriptor\' and contains detailed information about the
web application, e.g.: URL mappings, servlet registration details,
welcome files, MIME types, page-level security constraints...
A vulnerability exists in multiple Win32 servlet engines whereby if you
append a dot (\'.\') to the end of WEB-INF in the requested URL, it is
possible to retrieve the contents of any files within that directory.
It is possible to download the .java and .class files for a given
application, and access web.xml and other configuration files, and in
some cases client session information.
For example:
www.someserver.com/WEB-INF./web.xml
or
www.someserver.com/WEB-INF./classes/MyServlet.class
This vulnerability is Win32 specific because of a quirk in the way the
Windows file system operates. Basically, the file system ignores a
trailing \'.\' character on a given path or filename.
SOLUTION
Sybase EA Server
----------------
Upgrade to EAServer 4.1 (also fixed in maintenane release for 3.6.1)
OC4J - Oracle Containers for J2EE
---------------------------------
Fixed in the latest version of OC4J / 9iAS. Download OC4J v9.0.2 from:
http://otn.oracle.com/software/products/ias/devuse.html
Note: Two previous versions (v1.0.2.2.1 and v1.0.2.2 are still
available from this page, both of which still have this vulnerability
(as of 28/06/02). If you are using either of these versions you should
upgrade.
Vulnerable developer preview was available for download from
http://otn.oracle.com/tech/java/oc4j/content.html
This download has now been fixed.
Orion Server
------------
Fixed in version 1.5.4
JRun 3.0,3.1, 4.0
--------------------
Vendor contacted 31/1/02. Bug confirmed in 3.1 by vendor on 06/02/02.
http://www.macromedia.com/v1/handlers/index.cfm?ID=23164
Cumulative Patch available for JRun 3.0, 3.1 / 4.0
HPAS 8.0
--------
Vendor contacted 07/02/02, bug confirmed by vendor on same day. Will be
fixed in Maintenance Pack 8 (MP8)
Pramati App Server
------------------
Vendor contacted on 04/02/02. Fixes will be available in Service Pack
1.
Jo Webserver
------------
Fixed in version 1.0b7 and later.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
