Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5114.htm

gnujsp is vulnerable to directorylisting, scriptsource disclosure and httpd-restrictions bypass



20th Feb 2002 [SBWID-5114]
COMMAND

	gnujsp is vulnerable to directorylisting,  scriptsource  disclosure  and
	httpd-restrictions bypass

SYSTEMS AFFECTED

	current version

PROBLEM

	Thomas Springer found following :
	

	Requesting
	

	http://site/servlets/gnujsp/[dirname]/[file]

	

	on a site  running  gnujsp,  reveals  directory-listing  of  any  webdir
	including wwwroot, it also reveals the  script-source  of  certain  (not
	all!) script-types, depending on webserver-config.
	

	Wrapping     the      url      with      /servlets/gnujsp/      bypasses
	directory/file-restrictions  in  http.conf  or  .htaccess,   files   and
	directory-structures can be displayed along with the .htaccess-file.
	

	Very few sites running gnujsp seem to be partially  or  complete  immune
	to this behaviour, most are vulnerable. The  /servlets/gnujsp/  is  easy
	to guess, it appears in many error-messages.
	

	I don\'t know enough about gnujsp to provide a solution - but  it  seems
	to be kind of a configuration flaw in standard-config of gnujsp. I  only
	tested on apache  -  maybe  other  servers  with  gnujsp  installed  are
	vulnerable too.
	

	 Update

	 ======

	

	Stefan Gybas added following :
	

	The actual hole is in JServ (a  servlet  engine  for  which  GNUJSP  was
	mainly written) since it sets the servlet PathInfo  to  [dirname]/[file]
	in the above example. The GNUJSP servlet then incorrectly  assumes  that
	the request was made to \"http://site/[dirname]/[file]\".
	

	

SOLUTION

	Stefan Gybas proposed :
	

	There\'s a \"denyuri\" configuration option for GNUJSP but this  is  not
	a good fix since
	

	1. The same GNUJSP servlet  can  be  called  with  multiple  URIs  (e.g.
	/servlets/gnujsp and /servlet/gnujsp)
	

	2. It does not seem to work with GNUJSP 1.0.0  and  JServ  at  all  when
	there are servlet aliases
	

	A more secure solution is the attached patch for GNUJSP 1.0.0 and  1.0.1
	which forbids all direct requests to  the  GNUJSP  servlet.  Only  files
	which are mapped to the GNUJSP servlet (in  most  cases  *.jsp)  can  be
	accessed then.
	

	

	

	------------ filename=\"gnujsp-1.0.0.patch\"

	

	diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java

	--- src.old/org/gjt/jsp/JspServlet.java	Mon Oct 18 19:28:52 1999

	+++ src/org/gjt/jsp/JspServlet.java	Wed Feb 20 16:09:27 2002

	@@ -262,6 +262,12 @@

	 	    */

	 	}

	 

	+	// Security check: Deny the request if the path is appended to

	+	// the servlet URI -- gybas@trustsec.de

	+	if (request.getRequestURI().startsWith(request.getServletPath())) {

	+	    response.sendError(HttpServletResponse.SC_BAD_REQUEST);

	+	}

	+

	 	String jspURI  = requestToJspURI (request);

	 	if ((denyURI != null) && (jspURI.startsWith(denyURI))) {

	 	    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);

	

	

	

	

	

	

	------------- filename=\"gnujsp-1.0.1.patch\"

	

	Only in src: DIFF

	diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java

	--- src.old/org/gjt/jsp/JspServlet.java	Thu Oct  5 09:28:00 2000

	+++ src/org/gjt/jsp/JspServlet.java	Wed Feb 20 16:41:16 2002

	@@ -598,6 +598,12 @@

	 			  String jspURI)

	 	throws IOException, ServletException

	     {

	+	// Security check: Deny the request if the path is appended to

	+	// the servlet URI -- gybas@trustsec.de

	+	if (request.getRequestURI().startsWith(request.getServletPath())) {

	+	    response.sendError(HttpServletResponse.SC_BAD_REQUEST);

	+	}

	+

	 	// Deny requests beginning with denyURI, if specified.

	 	if ((denyURI != null) && (jspURI.startsWith(denyURI))) {

	 	    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH