NT 4.0 SP6a IIS v4 Sun JDK v1.2.2.006 ServletExec AS v3.0C
Issue reported on October 27th to email@example.com Confirmation on November 2nd that the problem was reproduced Confirmation that the issue was forwarded to the developpment team A temporary workaround was provided (see below) As of today, no ETA for a fix
Under a particular configuration, ServletExec AS v3.0C will disclose the source code of JSP pages when some special characters are appended to HTTP requests.
Specifically, when a web instance is installed and named after an existing Web application, or the name manually added on the servletexec.servername.applications line in servletexec.properties, the source code of a JSP page will be displayed if one of the following characters is present and the end of the request:
. and %2E + and %2B \ and %5C %20 %00
All values from %00 to %FF were checked.
Unify's support provided the following workarounds for people who might be impacted by the issue:
"If they don't have any static pages or images in their web application then they can configure a default servlet by mapping '/' to their default servlet. This will cause their default servlet to be called for any URLs which don't map to a servlet. In this case their default servlet can just return File Not Found. If they do have static pages or images then they can still do this but they'll need to have their default servlet serve up valid static pages and images."
"Another possibility is to map .jsp+, .jsp., .jsp\, etc. to a servlet which just returns File Not Found. For the .jsp%00 and .jsp%20 cases they'll need to enter the mappings in unencoded form. For example, the mapping for .jsp%20 would need to be entered as "*.jsp ". Note that the %20 was converted to a space character."
Here's the procedure to reproduce the behaviour on the test environment with the exampleWebApp that is provided with ServletExec.
We run now the ServletExec_AS_30C.exe setup again to add a web instance:
At this point, we are able to retrieve the source code of JSP pages accessible within the application directory tree. Example requests that produce the source are:
http://servtest/ex/jsp/simple.jsp. http://servtest/ex/jsp/simple.jsp+ http://servtest/ex/jsp/simple.jsp\ http://servtest/ex/jsp/simple.jsp%20 http://servtest/ex/jsp/simple.jsp%00
In other words, the problem seems to occur as soon as we touch servletexec.properties and add an existing application's URL (/ex) as a parameter to servletexec.servtest.applications or to servletexec.servtest.aliases (this second case occurs if we choose a different name for the instance during the Update process - we can still view the source code).
Source code could be displayed when the page extension was specified in uppercase, but the problem was fixed in v3.0C.
Fundstone Inc. discovered two other vulnerabilites (http://www.securityfocus.com/vdb/bottom.html?vid=1876 and http://www.securityfocus.com/vdb/bottom.html?vid=1868) with v3.0C that should be fixed in v3.0E. As of today, this version still cannot be found for download at http://www.servletexec.com/downloads/ so it could not be tested.
Thanks to the support people at Unify for working with us on this issue