[NT] 'WEB-INF' Folder Accessible in Multiple Web Application
From: support@securiteam.comDate: 07/01/02
- Previous message: support@securiteam.com: "[NEWS] Macromedia JRun Admin Server Authentication Bypass"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 1 Jul 2002 07:38:45 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
'WEB-INF' Folder Accessible in Multiple Web Application
------------------------------------------------------------------------
SUMMARY
This vulnerability affects the Win32 versions of multiple j2ee servlet
containers / application servers. By making a particular request to the
servers in question, it is possible to retrieve files located under the
'WEB-INF' directory.
DETAILS
Vulnerable systems:
* Sybase EA Server version 4.0 ( <http://www.sybase.com>
http://www.sybase.com )
* OC4J - Oracle Containers for J2EE ( <http://www.oracle.com>
http://www.oracle.com )
* Orion version 1.5.3 - ( <http://www.orionserver.com>
http://www.orionserver.com ).
* JRun version 3.0, 3.1 and JRun version 4 - Macromedia / Allaire JRun (
<http://www.macromedia.com> http://www.macromedia.com )
* HPAS version 8.0 - Hewlett Packard App Server (
<http://www.bluestone.hp.com> http://www.bluestone.hp.com )
* Pramati version 3.0 - Pramati App Server ( <http://www.pramati.com>
http://www.pramati.com )
* Jo - Jo Webserver ( <http://sourceforge.net/projects/tagtraum-jo/>
http://sourceforge.net/projects/tagtraum-jo/ or <http://www.tagtraum.de>
http://www.tagtraum.de )
A web application ('web app') is a collection of servlets, Java Server
Pages, HTML docs, images etc that are packaged in such a way that they can
be portably deployed on any servlet-enabled web server.
Applications are typically packaged in .WAR files. There is a standard
structure for these files that looks something like:
index.html
blah.jsp
images/on.gif
images/off.gif
WEB-INF/web.xml
WEB-INF/lib/blah.jar
WEB-INF/classes/MyServlet.class
WEB-INF/classes/com/bigco/things/servlet/bigcoWebServlet.class
etc...
This can then be deployed to the application server. The WEB-INF directory
is 'special'; anything under it is not to be served directly to web
clients as it contains Java class files (for servlets etc) and
configuration information for the web application. Hence, when an
application server receives any requests for /WEB-INF/ it will usually
return a '403 forbidden' or even a '404 Not Found' HTTP error.
The web.xml file that resides in WEB-INF is what is called a 'deployment
descriptor' and contains detailed information about the web application,
e.g.: URL mappings, servlet registration details, welcome files, MIME
types, page-level security constraints...
A vulnerability exists in multiple Win32 servlet engines whereby if you
append a dot ('.') to the end of WEB-INF in the requested URL, it is
possible to retrieve the contents of any files within that directory.
It is possible to download the .java and .class files for a given
application, and access web.xml and other configuration files, and in some
cases client session information.
For example:
www.someserver.com/WEB-INF./web.xml
Or
www.someserver.com/WEB-INF./classes/MyServlet.class
This vulnerability is Win32 specific because of a quirk in the way the
Windows file system operates. Causing the file system to ignore a trailing
'.' character on a given path or filename.
Patch Information:
Sybase EA Server
Upgrade to EAServer 4.1 (also fixed in maintenance release for 3.6.1)
OC4J - Oracle Containers for J2EE
Fixed in the latest version of OC4J / 9iAS. Download OC4J v9.0.2 from:
<http://otn.oracle.com/software/products/ias/devuse.html>
http://otn.oracle.com/software/products/ias/devuse.html
Note: Two previous versions (v1.0.2.2.1 and v1.0.2.2 are still available
from this page, both of which still have this vulnerability (as of
28/06/02). If you are using either of these versions, you should upgrade.
Vulnerable developer preview was available for download from
<http://otn.oracle.com/tech/java/oc4j/content.html>
http://otn.oracle.com/tech/java/oc4j/content.html . This download has now
been fixed.
Orion Server
Fixed in version 1.5.4
JRun 3.0,3.1, 4.0
Vendor contacted 31/1/02. Bug confirmed in 3.1 by vendor on 06/02/02.
Vendor Alert: <http://www.macromedia.com/v1/handlers/index.cfm?ID=23164>
http://www.macromedia.com/v1/handlers/index.cfm?ID=23164
Cumulative Patch available for JRun 3.0, 3.1 / 4.0
HPAS 8.0
Vendor contacted 07/02/02, bug confirmed by vendor on same day. Will be
fixed in Maintenance Pack 8 (MP8)
Pramati App Server
Vendor contacted on 04/02/02. Fixes will be available in Service Pack 1.
Jo Webserver
Fixed in version 1.0b7 and later.
ADDITIONAL INFORMATION
The information has been provided by <mailto:matt@westpoint.ltd.uk> Matt
Moore.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Macromedia JRun Admin Server Authentication Bypass"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
