Lucene search

佚名MYHACK58:62200612224

HistoryOct 11, 2006 - 12:00 a.m.

JSP vulnerabilities large-vulnerability warning-the black bar safety net

2006-10-1100:00:00

佚名

www.myhack58.com

JSON

Overview: The server vulnerability is a security Origin, a hacker on the site of the attack is also mostly from the Find each other’s vulnerabilities. So only understand its own vulnerability, the site managers to take appropriate measures to prevent foreign attacks. The following describes some of the servers, including theWeb serverand JSP Server Common Vulnerability.

Apache compromised to rewrite arbitrary file vulnerability is what’s going on?

In Apache 1. x. 2 and later versions there is a mod_rewrite module, which is used to specify special URLS in the web server file system on the mapped absolute path. If the transfer contains a correct expression of the parameter of the rewrite rules, the attacker can see the target on the host, any files.

The following example illustrates the rewriting rules of the instruction, where the first row only contains the vulnerability:

RewriteRule /test/(.) /usr/local/data/test-stuff/$1
RewriteRule /more-icons/(.) /icons/$1
RewriteRule /go/(.*) $1" target=_blank>http://www.apacheweek.com/$1

Affected system:

the Apache 1.3.12
2 for Apache 1.3. 11win32
3）the Apache 1.2. x

Not affected systems: Apache 1.3.13

How to solve in the HTTP request to add the special character lead to the exposure of JSP source code file?
Unify’s eWave ServletExec is a Java/Java Servlet engine plug-in, mainly for the WEB server, for example: Microsoft IIS, Apache, Netscape Enterprise Server, and so on.
When an HTTP request to add one of the following characters, the ServletExec will return the JSP source code files.
.

%2E
+
%2B
\
%5C
%2 0
Percent 0 0

Successful exploitation of this vulnerability will lead to the disclosure of the specified JSP file source code, for example: the use of any of the following a URL the request will output the specified JSP file source code:

1）http://target/directory/jsp/file.jsp.
2）http://target/directory/jsp/file.jsp.
3）http://target/directory/jsp/file.jsp+
4）http://target/directory/jsp/file.jsp%2B
5）http://target/directory/jsp/file.jsp\
6）http://target/directory/jsp/file.jsp\
7）http://target/directory/jsp/file.jsp
8）http://target/directory/jsp/file.jsp

Affected system:

The Unify eWave ServletExec 3.0 c
2）Sun Solaris 8.0
3）Microsoft Windows 9 8
4 Microsoft Windows NT 4.0
5）Microsoft Windows NT 2 0 0 0
6）Linux kernel 2.3. x
7）IBM AIX 4.3.2
8）HP HP-UX 11.4

Solution:

If you are not using any static pages or images, you can configure a default servlet, and the"/“mapping to the default servlet. So when you receive a is not mapped to a servlet URL, the default servlet will be called. In this case, the default servlet can only return"not found file”. If you use a static page or image, can still make such a configuration, but need to make this the default servlet processing for legitimate static page and image requests.
Another possibility is that the*. jsp+and*. jsp. And*. jsp, etc. is mapped to a servlet, and the servlet just returns"not found file". For*. jsp%0 0 and*. jsp%2 0 such a case, the mapping should be without the encoding of the form input. For example, for*. jsp%2 0 mapping should input"*. jsp "in. Note that%2 of 0 is converted to a space character.
Tomcat what are the vulnerabilities?

Tomcat 3.1 presence of the exposed site path issue

Tomcat 3.1 in the Apache Software environments development of a support JSP 1.1 and Servlets 2.2 software. It there a security issue when sending a non-existent jsp request when will be exposed the site Internet page the full path.

Example:
http://narco.guerrilla.sucks.c8080/anything.jsp

The results show:
Error: 4 0 4
Location: /anything. jsp
JSP file “/appsrv2/jakarta-tomcat/webapps/ROOT/anything. jsp” not found

Solution: upgrade to the new version

Tomcat is exposed to the JSP file content

Java Server Pages (JSP)file type is’. jsp’extension on Tomcat registration Tomcat is file name case-sensitive,‘. jsp’and’. JSP’is a different type of file extension. If presented with’. JSP’link to Tomcat,and Tomcat can’t find’. JSP’will be in default’. text’file type to respond to the request. Because in the NT system in case filename is very sensitive, it is requested the file will be in the form of text sent.

If on a UNIX server will appear"file not found"error message.

How to in windows under Tomcat implementation code protection

Tomcat some versions have leaked the source code of the vulnerability, if in the browser to call the JSP page when the file suffix is changed to uppercase, the JSP file’s source code will be completely output to the browser, perhaps the browser window, what are not, then you only need to view the HTML source file can be found in. As a result, the website’s source code is not always exposed on the Internet?
Don’t worry, the solution is simple, the various suffix combinations of all write to the Tomcat_Home\conf \web. xml can be, so Tomcat will be a different suffix to the name of the JSP treated separately, it does not reveal the code.

jsp
*. jsp

jsP
*. jsP

? lt;servlet-name>jSp
*. jSp

jSP
*. jSP

Jsp
*. Jsp

JsP
*. JsP

JSp
*. JSp

JSP
*. JSP

Allair Jrun vulnerabilities what are the vulnerabilities?

Allair JRUN illegal to read WEB-INF vulnerability
In Allaire’s JRUN Server 2.3 version there is a serious security vulnerability. It allows an attacker on the JRun 3.0 Server, view the WEB-INF directory.
If the user submitted a URL request, by appending a"/"so the URL becomes malformed URL, then the WEB-INF and all subdirectories will be exposed. The attacker is clever use of the vulnerability will be able to remote access the target host system in the WEB-INF directory of all the files read permissions.
For example, use the following URL would be exposed in the WEB-INF under all files:
http://site.running.jrun:8100//WEB-INF/

Affected systems: Allaire JRun 3.0

Solution: download and install the patch:

Allaire patch jr233p_ASB00_28_29
http://download.allaire.com/jrun/jr233p_ASB00_28_29.zip
Windows 95/98/NT/2 0 0 0 and Windows NT Alpha
Allaire patch jr233p_ASB00_28_29tar
http://download.allaire.com/jrun/jr233p_ASB00_28_29.tar.gz
UNIX/Linux patch - GNU gzip/tar

Allaire JRUN 2.3 to view arbitrary file vulnerability

Allaire’s JRUN Server 2.3 on the existence of multiple show code vulnerabilities. The vulnerability allows an attacker on the WEB server to view the root directory of any file of the source code.
JRun 2.3 uses Java Servlets to parse a variety of types of pages, such as: HTML, JSP, and so on. Based on the rules. properties and servlets. the properties of the file set, you may use the URL prefix"/servlet/"to call any servlet.
It is possible to use Jrun’s SSIFilter servlet on the target system to retrieve arbitrary files. The following 2 example shows can be used to retrieve any of the file URLs: the

http://jrun:8000/servlet/com.livesoftware.jrun … /…/…/t est. jsp
http://jrun:8000/servlet/com.livesoftware.jrun.pl … …/…/…/…/…/the boot. ini
http://jrun:8000/servlet/com. livesoftware. jrun. plugi … p;./…/…/…/…/ winnt/repair/sam
http://jrun:8000/servlet/ssifilter/../../test.jsp
http://jrun:8000/servlet/ssifilter/& … /…/…/boot. ini
http://jrun:8000/servlet/ssifilter/../../. … /repair/sam._

Note: assume that the JRun host" jrun "running on port 8 0 0 0 it.

Affected systems: Allaire JRun 2.3. x

Solution: download and install the patch:

Allaire JRUN 2.3 remote execution of arbitrary commands vulnerability

Allaire’s JRUN Server 2.3 on the existence of a security vulnerability that allows a remote user to put on the WEB server arbitrary file as a JSP code is compiled/executed. If the URL request to the target file using the prefix"/servlet/“, the JSP interpreted function is activated. At this time in the user request target file path using”…/", it is possible to access to the WEB server on the root directory of the file. On the target host to exploit the vulnerability requests the user input to generate a file that will be a serious threat to the target host system of security.

For example:

http://jrun:8000/servlet/com.livesoftware.jrun … path/to /temp.txt
http://jrun:8000/servlet/jsp/../../path/to/temp.txt

Affected systems: Allaire JRun 2.3. x

Solution: download and install the patch:

JRun 2.3. x sample files exposed site security information

JRun 2.3. x in the JRUN_HOME/servlets directory under some servlet example files, this directory is JRun 2.3. x is used to load and execute servlets file. All extension “. Java” or “class” files must be deleted, this is because these files will be exposed to the site’s security information. For example:
http://www.xxx.xxx/servlet/SessionServlet will be exposed to the current server to maintain the HTTP connection information. JRUN_HOME/jsm-default/services/jws/htdocs directory of the content should also be deleted. This directory holds the presentation Server feature ‘. jsp’ file, wherein some of the file involved in the Access server file system and exposed server settings problem. For example, the file “viewsource. jsp” path check is off by default, it can be used to access the server file system.

Solution:

1）Install the 2.3.3 service pack
2 from the server delete all description documents, presentations, coding, examples, and textbooks, including the installation of JRun 2.3. x when stored in the JRUN_HOME/servlets directory and the JRUN_HOME/jsm-default/services/jws/htdocs directory of the document.
Related sites: http://www.allaire.com/

IBM WebSphere Application Server what are the vulnerabilities?

1, IBM WebSphere Application Server 3.0.2 presence of the exposed source code vulnerability
IBM WebSphere Application Server allows an attacker to view the Web server root directory all of the above files. IBM WebSphere uses Java Servlets to handle multiple page types of analysis(such as HTML, JSP, JHTML, etc.). In addition to different servlets to different page for processing, if a requested file is not to register management, WebSphere will use a default servlet to be invoked. If the file path to"/servlet/file/"at the beginning of this default servlet is called the request file will not be analyzed or compiled is displayed.

Affected systems: IBM WebSphere 3.0.2 all versions

Example:

If a request file URL is “login. jsp”:: the http://site.running.websphere/login.jsp 那么访问 http://site.running.websphere/servlet/file/login.jsp 将看到这个文件的源代码 the.
Solution: download and install the patch
http://www-4.ibm.com/software/webservers/appserv/efix.html
Related sites: http://www-4.ibm.com/software/webservers/appserv/
IBM WebSphere Application Server is exposed to the JSP file content
Java Server Pages (JSP)file type is’. jsp’extension in the WebSphere Application Serve on the registration, WebSphere is file name case-sensitive,‘. jsp’and’. JSP’is a different type of file extension. If presented with’. JSP’link to WebSphere,and WebSphere not found’. JSP’will be in default’. text’file type to respond to the request. Because in the NT system in case filename is very sensitive, it is requested the file will be in the form of text sent.

If on a UNIX server will appear"file not found"error message.

Solution: Click here to download the patch
Related sites: http://www-4.ibm.com/software/webservers/appserv/efix.html
BEA WebLogic which exposed the source code vulnerability?

Affected versions:

On all systems

BEA WebLogic Enterprise 5.1. x
BEA WebLogic Server and Express 5.1. x
BEA WebLogic Server and Express 4.5. x
BEA WebLogic Server and Express 4.0. x
BEA WebLogic Server and Express 3.1.8

This vulnerability allows an attacker to read the Web directory and all the files in the source code.

WebLogic relies on four main Java Servlets to serve different types of files. These servlets are:

The FileServlet - for simple HTML page
the SSIServlet - for Server Side Includes page
3）PageCompileServlet - for JHTML page
4）JSPServlet - for Java Server Pages

Look at weblogic. properties file, here is each of the servlets in the registered values:

The weblogic. httpd. register. file=weblogic. servlet. FileServlet
the weblogic. httpd. register.*. shtml=weblogic. servlet. ServerSideIncludeServlet
the weblogic. httpd. register.*. jhtml=weblogic. servlet. jhtmlc. PageCompileServlet
the weblogic. httpd. register.*. jsp=weblogic. servlet. JSPServlet
More weblogic. properties file, if a request file is not the registry, then it will call a default servlet. The following is to show the default servlet is how to register.

Default servlet registration

------------------------------------------------

Virtual name of thethe default servlet if no matching servlet

is found weblogic. httpd. defaultServlet=file

So if the URL in the file path beginning with “/file/” , will cause the WebLogic invoke the default servlet, that will make pages not plus analysis and compilation and displayed directly.

Argument:

As long as you want to see the file the original URL path is added before the “/file/” will make the file without the analysis and compile, directly exposed to the source code. Such as: http://site.running.weblogic/login.jsp as long as access http://site.running.weblogic/file/login.jsp it will in a WEB browser to see the file content.

The following is to use the method:

1. Through the mandatory use of the SSIServlet to see no analysis of the page :
Server site by WebLogic in the SSIServlet processing of the page, it in weblogic. properties file to register the following information: weblogic. httpd. register.*. shtml= weblogic. servlet. ServerSideIncludeServlet

Through the URL using the SSIServlet automatic processing of wildcards * in. Therefore if the file path starts with /. shtml/, will be forced to file by the SSIServlet processing. If you use other file types such as . jsp and . jhtml, we can see no analysis of the jsp and jhtml code. Example: http://www.xxx.com/. shtml/login. jsp

2. By forcing the use of FileServlet view not analysis of the page :
WebLogic uses the FileServlet configuration of the ConsoleHelp servlet, in weblogic. properties files the following can be learned:

For Console help. Do not modify.

weblogic. httpd. register. ConsoleHelp= weblogic. servlet. FileServlet
weblogic.httpd.initArgs.ConsoleHelp=\defaultFilename=/weblogic/admin/help/NoContent.html
weblogic. allow. execute. weblogic. servlet. ConsoleHelp=everyone

Therefore if the file path with /ConsoleHelp/ at the beginning will result in WebLogic using the FileServlet, so that no analysis or compilation of the document page is displayed, for example: http://www.xxx.com/ConsoleHelp/login.jsp

Solution:
Do not use the example of the setting method set the FileServlet to. This may make your JSP/JHTML file in the source code exposed. Please check the online document:
http://www.weblogic.com/docs51/admindocs/http.html#file

An example of the registrations is as follows:
weblogic. httpd. register. file=weblogic. servlet. FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic. httpd. defaultServlet=file

There are two ways to avoid this problem:

（1）The registration of those files servlet using a random user name, to increase the guessing difficulty. For example use like this to register the file servlet as 12foo34: the
weblogic. httpd. register. 12foo34=weblogic. servlet. FileServlet
weblogic.httpd.initArgs.12foo34=defaultFilename=index.html
weblogic. httpd. defaultServlet=12foo34

（2）register the file servlet using wild cards statements you will use all of these files extension services. For example to register the file servlet to . html file services:
weblogic. httpd. register.. html=weblogic. servlet. FileServlet
weblogic. httpd. initArgs.. html=defaultFilename=index.html
weblogic. httpd. defaultServlet=*. html

Using the above method is repeated to add the following types of files *. gif, *. jpg, *. pdf, *. txt, etc.
Note: this information is provided with proof in the BEA WebLogic Server and Express description of the gear: http://www.weblogic.com/docs51/admindocs/lockdown.html
Other: Please note the new version and upgrade it.!

JSON