Vulners
Lucene search
servletexec-4.1.txt
`Westpoint Security Advisory
Title: Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Risk Rating: High
Software: ServletExec 4.1 ISAPI / IIS 4 & 5
Platforms: Win2k / WinNT 4
Vendor URL: www.newatlanta.com
Author: Matt Moore <[email protected]>
Date: 22 May 2002
Advisory ID#: wp-02-0006.txt
Overview:
=========
ServletExec 4.1 ISAPI is a Java Servlet/JSP Engine for Internet Information
Server and is implemented as an ISAPI filter.
The JSP functionality is provided by a servlet which is enabled by default
and contains three security flaws.
Details:
========
1. ServletExec discloses physical path of webroot
=================================================
It is possible to invoke the class 'com.newatlanta.servletexec.JSP10Servlet'
directly by requesting a url such as:
/servlet/com.newatlanta.servletexec.JSP10Servlet/
If no filename is supplied to it, then it returns an error message:
Error. The file was not found. (filename =
f:\inetpub\wwwroot\servlet\com.newatlanta.servletexec.JSP10Servlet\)
disclosing the physical path of the web root.
2. JSP10Servlet allows files to be read from within IIS webroot
===============================================================
By invoking the JSP10Servlet (or simply JSPServlet) using the URL described
above, it is possible to read files from within the web root.
It did not appear to be possible to 'break out' of the web root and read
files from other parts of the file system.
The path must be URL encoded for this to work. For instance, a request such
as
/servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5c\global.asa
will retrieve the global.asa file, which is normally not served.
3. DoS via overly long request for .JSP file
============================================
By making a request for an overly long named .jsp file, Internet Information
Server can be crashed.
The denial of service condition can be triggered by either requesting an
overly long named .jsp file:
i.e. /servlet/AAAAAAAAAAAAAAA....AAAAAAAAAAAAAA.jsp
or by invoking the JSPServlet or JSP10Servlet directly:
or/servlet/com.newatlanta.servletexec.JSPServlet/AAAAAAAA....AAAA
Patch Information:
==================
There is a workaround for the physical path disclosure bug, which should be
in the FAQ's at
http://www.newatlanta.com/products/servletexec/self_help/faq_list.jsp
The other issues are fixed in Patch #9 from
ftp://ftp.newatlanta.com/public/4_1/patches/
Additional Information
======================
Nessus plugins are available to test for the vulnerabilities identified
above, from www.nessus.org:
servletExec_DoS.nasl (ID 10958)
ServletExec_File_Reading.nasl (ID 10959)
ServletExec_path_disclosure.nasl (ID 10960)
www.westpoint.ltd.uk/advisories/wp-02-0006.txt
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 May 2002 00:00Current
7.4High risk
Vulners AI Score7.4