[NT] JRun SSI Request Body Parsing
From: support@securiteam.comDate: 12/03/01
- Previous message: support@securiteam.com: "[NEWS] Security Vulnerability in Cisco's IOS Firewall Feature Set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 3 Dec 2001 16:06:29 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
JRun SSI Request Body Parsing
------------------------------------------------------------------------
SUMMARY
JRun supports a number of different technologies for dynamically generated
content, most importantly Java Server Pages. One rather rarely-used
feature is the support for Server Side Includes (SSI); this is a much
simpler language than JSP, which is primarily for including the text of
other files on the server (for instance adding standard headers or footers
to otherwise static pages), and also supports invoking servlets. By
default, the file extension .shtml is assigned to the SSI handler.
Unfortunately, a flaw in the server side component that processes requests
for SSI pages means that user supplied data can be included in the SSI
processing. A remote user can submit requests containing data that will be
processed by the SSI filter; as a result, the user can cause the server to
execute arbitrary SSI code.
DETAILS
Vulnerable systems:
JRun version 2.3.3
JRun version 3.0
JRun version 3.1
Impact:
Revealing of source code to Java Server Pages, and other protected files
inside the web root.
When a request for an SSI page is submitted to the server and the page
does not exist, the SSI handler "falls back" on the body of the HTTP
request itself. Usually an HTTP request does not contain a body, but a
malicious user can easily construct a request with a body containing SSI
commands. These can be used to include the source to other files on the
server. For example, a request such as:
GET /nosuch.shtml HTTP/1.0
Content Length: 38
<!--#include virtual="/index.jsp"-->
Would return the source of the index.jsp page (subject to SSI processing -
so servlet tags may be replaced, but most JSP source would be passed
through unmodified). It should be noted that the include directive does
not go through the usual URL processing - for example includes of .jsp
files are not done by the JSP handler, hence the source code to .jsp's can
be obtained. It also bypasses any access controls enforced by the web
server (so files in protected directories such as the /WEB-INF/ directory
can be accessed). However, it was not possible to access files outside of
the web root in the cases that Netcraft tested.
Netcraft also verified that it was possible to execute Java servlets on
the server using this vulnerability. As it is common to expose these via
the /servlet/ URL mapping, this does not give the attacker any new
advantage in the normal setup but could be considered a problem by sites
that have disabled the /servlet/ mapping.
Recommendations:
As a workaround, sites using JRun can disable the SSI support on the web
server, as this is not required for any other features of the server
including Java Server Pages, so few sites actually require this
functionality. This involves both disabling the .shtml extension mapping
to SSI handling, and the /servlet/ method of invoking the servlet which
does SSI processing (the latter can be done by either disabling the
/servlet/ mapping if it is not used, or by blocking access to the
particular servlet affected - allaire.jrun.ssi.SSIFilter for JRun 3.x,
com.livesoftware.jrun.plugins.ssi.SSIFilter on JRun 2.3.x). See the
security bulletin from Allaire for detailed information on making this
configuration change.
Vendor response:
Allaire have responded promptly to Netcraft's initial report of this
problem. They have confirmed that this is a security problem in the JRun
versions listed. A patch is expected to be included in the next rollup
patch for JRun. In the meantime, they have released a security bulletin to
notify customers of this problem, and advise a workaround by disabling
SSI.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@netcraft.com>
Netcraft Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Security Vulnerability in Cisco's IOS Firewall Feature Set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
