Disclosure of JSP source code with ServletExec AS v3.0c + web instance

2000-11-22T00:00:00
ID SECURITYVULNS:DOC:959
Type securityvulns
Reporter Securityvulns
Modified 2000-11-22T00:00:00

Description

Test environment

NT 4.0 SP6a
IIS v4
Sun JDK v1.2.2.006
ServletExec AS v3.0C

Vendor status (Unify)

Issue reported on October 27th to support@servletexec.com
Confirmation on November 2nd that the problem was reproduced
Confirmation that the issue was forwarded to the developpment team
A temporary workaround was provided (see below)
As of today, no ETA for a fix

Problem description

Under a particular configuration, ServletExec AS v3.0C will disclose the source code of JSP pages when some special characters are appended to HTTP requests.

Specifically, when a web instance is installed and named after an existing Web application, or the name manually added on the servletexec.servername.applications line in servletexec.properties, the source code of a JSP page will be displayed if one of the following characters is present and the end of the request:

. and %2E + and %2B \ and %5C %20 %00

All values from %00 to %FF were checked.

Temporary workaround

Unify's support provided the following workarounds for people who might be impacted by the issue:

"If they don't have any static pages or images in their web application then they can configure a default servlet by mapping '/' to their default servlet. This will cause their default servlet to be called for any URLs which don't map to a servlet. In this case their default servlet can just return File Not Found. If they do have static pages or images then they can still do this but they'll need to have their default servlet serve up valid static pages and images."

"Another possibility is to map .jsp+, .jsp., .jsp\, etc. to a servlet which just returns File Not Found. For the .jsp%00 and .jsp%20 cases they'll need to enter the mappings in unencoded form. For example, the mapping for .jsp%20 would need to be entered as "*.jsp ". Note that the %20 was converted to a space character."

Test scenario

Here's the procedure to reproduce the behaviour on the test environment with the exampleWebApp that is provided with ServletExec.

  • Launch ServletExec_AS_30C.exe to install ServletExec AS v3.0c
  • Choose Install a ServletExec AS instance
  • Default install directories (ex: C:\Program Files\Unify\ServletExec AS)
  • Name the instance with the servername (ex: servtest)
  • Setup type is Microsoft IIS or PWS
  • Install servletexec as NT Service
  • Once the installation's complete, stop and restart IIS Admin and World Wide Web Publishing services
  • Start the ServletExec service (ex: ServletExec-servtest)
  • Connect to the admin servlet (ex: http://servtest/servlet/admin)
  • Go to Web applications/Configure
  • Add exampleWebApp (ex: Name=ex, URL=/ex, Location=C:\Program Files\Unify\ServletExec AS\Examples\exampleWebApp)
  • The application should be accessible under http://servtest/ex/jsp/simple.jsp but NOT its source code (returns 404 errors on attempts such as http://servtest/ex/jsp/simple.jsp.)

We run now the ServletExec_AS_30C.exe setup again to add a web instance:

  • Choose Install or Update a web server adapter
  • Setup type is Microsoft IIS or PWS
  • Name of the ServletExec AS instance is as before (ex: servtest)
  • Application URL is /ex
  • Once the installation's complete, stop and restart IIS Admin and World Wide Web Publishing services

At this point, we are able to retrieve the source code of JSP pages accessible within the application directory tree. Example requests that produce the source are:

http://servtest/ex/jsp/simple.jsp. http://servtest/ex/jsp/simple.jsp+ http://servtest/ex/jsp/simple.jsp\ http://servtest/ex/jsp/simple.jsp%20 http://servtest/ex/jsp/simple.jsp%00

In other words, the problem seems to occur as soon as we touch servletexec.properties and add an existing application's URL (/ex) as a parameter to servletexec.servtest.applications or to servletexec.servtest.aliases (this second case occurs if we choose a different name for the instance during the Update process - we can still view the source code).

Notes

  • A similar problem (http://www.securityfocus.com/vdb/bottom.html?vid=1328) was discovered by Niclas Vikstrom and posted to NTbugtraq by Russ Cooper on June 8,
  • Source code could be displayed when the page extension was specified in uppercase, but the problem was fixed in v3.0C.

  • Fundstone Inc. discovered two other vulnerabilites (http://www.securityfocus.com/vdb/bottom.html?vid=1876 and http://www.securityfocus.com/vdb/bottom.html?vid=1868) with v3.0C that should be fixed in v3.0E. As of today, this version still cannot be found for download at http://www.servletexec.com/downloads/ so it could not be tested.

  • Thanks to the support people at Unify for working with us on this issue