TUCoPS :: Windows Apps :: win5499.htm

j2ee servlet's servers "WEB-INF" directory remotely accessible
1st Jul 2002 [SBWID-5499]
COMMAND

	j2ee servlet\'s servers \"WEB-INF\" directory remotely accessible

SYSTEMS AFFECTED

	 Sybase EA Server 4.0 ( www.sybase.com )

	 OC4J - Oracle Containers for J2EE ( www.oracle.com )

	 Orion 1.5.3 - ( www.orionserver.com ).

	 JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun ( www.macromedia.com )

	 HPAS 8.0 - Hewlett Packard App Server ( www.bluestone.hp.com )

	 Pramati 3.0 - Pramati App Server ( www.pramati.com )

	 Jo - Jo Webserver ( http://sourceforge.net/projects/tagtraum-jo/ or 

	 www.tagtraum.de )

PROBLEM

	In  Matt  Moore  [matt@westpoint.ltd.uk]  of  westpoint  ltd.   advisory
	[http://www.westpoint.ltd.uk/advisories/wp-02-0002.txt] :
	

	A web application (\'web  app\')  is  a  collection  of  servlets,  Java
	Server Pages, HTML docs, images etc etc that are packaged in such a  way
	that they can be portably deployed on any servlet-enabled web server.
	

	Applications are typically packaged in .WAR files. There is  a  standard
	structure for these files which looks something like:
	

	index.html

	blah.jsp

	images/on.gif

	images/off.gif

	WEB-INF/web.xml

	WEB-INF/lib/blah.jar

	WEB-INF/classes/MyServlet.class

	WEB-INF/classes/com/bigco/things/servlet/bigcoWebServlet.class

	etc...

	

	This can then  be  deployed  to  the  application  server.  The  WEB-INF
	directory is  \'special\';  anything  under  it  is  not  to  be  served
	directly to web clients as it contains Java class  files  (for  servlets
	etc) and configuration information for the web application. Hence,  when
	an application server  receives  any  requests  for  /WEB-INF/  it  will
	usually return a \'403 forbidden\' or even  a  \'404  Not  Found\'  HTTP
	error.
	

	The  web.xml  file  which  resides  in  WEB-INF  is  what  is  called  a
	\'deployment descriptor\' and contains detailed  information  about  the
	web application,  e.g.:  URL  mappings,  servlet  registration  details,
	welcome files, MIME types, page-level security constraints...
	

	A vulnerability exists in multiple Win32 servlet engines whereby if  you
	append a dot (\'.\') to the end of WEB-INF in the requested URL,  it  is
	possible to retrieve the contents of any files within that directory.
	

	It is possible to download the  .java  and  .class  files  for  a  given
	application, and access web.xml and other configuration  files,  and  in
	some cases client session information.
	

	For example:
	

	www.someserver.com/WEB-INF./web.xml

	

	or
	

	www.someserver.com/WEB-INF./classes/MyServlet.class

	

	This vulnerability is Win32 specific because of a quirk in the  way  the
	Windows file system operates.  Basically,  the  file  system  ignores  a
	trailing \'.\' character on a given path or filename.

SOLUTION

	 Sybase EA Server

	 ----------------

	Upgrade to EAServer 4.1 (also fixed in maintenane release for 3.6.1)
	

	 OC4J - Oracle Containers for J2EE

	 ---------------------------------

	Fixed in the latest version of OC4J / 9iAS. Download OC4J v9.0.2 from:
	

	http://otn.oracle.com/software/products/ias/devuse.html

	

	Note:  Two  previous  versions  (v1.0.2.2.1  and  v1.0.2.2   are   still
	available from this page, both of which still  have  this  vulnerability
	(as of 28/06/02). If you are using either of these versions  you  should
	upgrade.
	

	Vulnerable developer preview was available for download from
	

	http://otn.oracle.com/tech/java/oc4j/content.html

	

	This download has now been fixed.
	

	 Orion Server

	 ------------

	Fixed in version 1.5.4
	

	 JRun 3.0,3.1, 4.0

	 --------------------

	Vendor contacted 31/1/02. Bug confirmed in 3.1 by vendor on 06/02/02.
	

	http://www.macromedia.com/v1/handlers/index.cfm?ID=23164

	

	Cumulative Patch available for JRun 3.0, 3.1 / 4.0
	

	 HPAS 8.0

	 --------

	Vendor contacted 07/02/02, bug confirmed by vendor on same day. Will  be
	fixed in Maintenance Pack 8 (MP8)
	

	 Pramati App Server

	 ------------------

	Vendor contacted on 04/02/02. Fixes will be available  in  Service  Pack
	1.
	

	 Jo Webserver

	 ------------

	Fixed in version 1.0b7 and later.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH