jsp vulnerabilities and solutions-vulnerability warning-the black bar safety net

2007-05-26T00:00:00
ID MYHACK58:62200715599
Type myhack58
Reporter 佚名
Modified 2007-05-26T00:00:00

Description

Overview: The server vulnerability is a security Origin, a hacker on the site of the attack is also mostly from the Find each other's vulnerabilities. So only understand its own vulnerability, the site managers to take appropriate measures to prevent foreign attacks. The following describes some of the servers, including theWeb serverand JSP Server Common Vulnerability. Apache compromised to rewrite arbitrary file vulnerability is what's going on? In Apache 1. x. 2 and later versions there is a mod_rewrite module, which is used to specify special URLS in the web server file system on the mapped absolute path. If the transfer contains a correct expression of the parameter of the rewrite rules, the attacker can see the target on the host, any files. The following example illustrates the rewriting rules of the instruction, where the first row only contains a vulnerability: RewriteRule /test/(.) /usr/local/data/test-stuff/$1 RewriteRule /more-icons/(.) /icons/$1 RewriteRule /go/(.) http://www.apacheweek.com/$1 Affected system: 1. the Apache 1.3.12 2 for Apache 1.3. 11win32 3)the Apache 1.2. x Not affected systems: Apache 1.3.13 How to solve in the HTTP request to add the special character lead to the exposure of JSP source code file? U nify eWave ServletExec is a Java/Java Servlet engine plug-in, mainly for the WEB server, for example: Microsoft IIS, Apache, Netscape Enterprise Server, and so on. When an HTTP request to add one of the following characters, the ServletExec will return the JSP source code files. . %2E + %2B \ %5C %2 0% 0 0 successful exploitation of this vulnerability will lead to the disclosure of the specified JSP file source code, for example: the use of any of the following a URL the request will output the specified JSP file source code: 1)http://target/directory/jsp/file.jsp. 2)http://target/directory/jsp/file.jsp%2E 3)http://target/directory/jsp/file.jsp+ 4)http://target/directory/jsp/file.jsp%2B 5)http://target/directory/jsp/file.jsp\ 6)http://target/directory/jsp/file.jsp%5C 7)http://target/directory/jsp/file.jsp%20 8)http://target/directory/jsp/file.jsp%00 Affected system: 1. The Unify eWave ServletExec 3.0 c 2)Sun Solaris 8.0 3)Microsoft Windows 9 8 4 Microsoft Windows NT 4.0 5)Microsoft Windows NT 2 0 0 0 6)Linux kernel 2.3. x 7)IBM AIX 4.3.2 8)HP HP-UX 11.4 Solution: If you are not using any static pages or images, you can configure a default servlet, and the"/"mapping to the default servlet. So when you receive a is not mapped to a servlet URL, the default servlet will be called. In this case, the default servlet can only return"not found file". If you use a static page or image, can still make such a configuration, but need to make this the default servlet processing for legitimate static page and image requests. Another possibility is that the. jsp+and. jsp. And. jsp\, etc. is mapped to a servlet, and the servlet just returns"not found file". For. jsp%0 0 and. jsp%2 0 such a case, the mapping should be without the encoding of the form input. For example, for. jsp%2 0 mapping should input". jsp "in. Note that%2 of 0 is converted to a space character.