8026148 2002-02-19 15:51 +0100 /57 rader/ Thomas Springer <thomas.springer@tuev-sued.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-20 01:04 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: pab@heise.de
Mottagare: Bugtraq (import) <21049>
Ärende: gnujsp: dir- and script-disclosure
------------------------------------------------------------
From: Thomas Springer <thomas.springer@tuev-sued.de>
To: bugtraq@securityfocus.com
Cc: pab@heise.de
Message-ID: <3.0.6.32.20020219155101.013aff70@muzs010C>
--- mod: for verifying this, ask your favourite google for sites
running gnujsp, eg
+"/scripts/gnujsp/". if you want to get a fix first - go for it,
before you release this. I tried to contact two sites running gnujsp
asking for help with a fix - but they didn't even bother to
reply. I'm too busy for installing gnjusp and doing further research
myself.
tom
---
Most sites running apache/gnujsp are vulnerable to directorylisting,
scriptsource disclosure and httpd-restrictions bypass.
Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site
running gnujsp, reveals directory-listing of any webdir including
wwwroot, it also reveals the script-source of certain (not all!)
script-types, depending on webserver-config.
Wrapping the url with /servlets/gnujsp/ bypasses
directory/file-restrictions in http.conf or .htaccess, files and
directory-structures can be displayed along with the .htaccess-file.
Very few sites running gnujsp seem to be partially or complete immune
to this behaviour, most are vulnerable. The /servlets/gnujsp/ is
easy to guess, it appears in many error-messages.
I don't know enough about gnujsp to provide a solution - but it seems
to be kind of a configuration flaw in standard-config of gnujsp. I
only tested on apache - maybe other servers with gnujsp installed are
vulnerable too.
I contacted the gnujsp-devolpers (according to the rather old
AUTHORS-file) at 02/15/2002 without any response so far.
Maybe someone else familiar with gnujsp could provide a solution.
Gruesse,
Thomas Springer
(IT Security)
TUEV Informatik Service
Westendstr. 199
80806 München
Tel. 089 5791-2069
thomas.springer@tuev-sued.de
(pgp-signed mail welcome)
(8026148) /Thomas Springer <thomas.springer@tuev-sued.de>/(Ombruten)
Kommentar i text 8030104 av Stefan Gybas <gybas@trustsec.de>
8030104 2002-02-20 16:54 +0100 /39 rader/ Stefan Gybas <gybas@trustsec.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-20 18:19 av Brevbäraren
Extern mottagare: Thomas Springer <thomas.springer@tuev-sued.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: pab@heise.de
Mottagare: Bugtraq (import) <21056>
Kommentar till text 8026148 av Thomas Springer <thomas.springer@tuev-sued.de>
Ärende: Re: gnujsp: dir- and script-disclosure
------------------------------------------------------------
From: Stefan Gybas <gybas@trustsec.de>
To: Thomas Springer <thomas.springer@tuev-sued.de>
Cc: bugtraq@securityfocus.com, pab@heise.de
Message-ID: <20020220155422.GA31582@avoive.trustsec.de>
On Tue, Feb 19, 2002 at 03:51:01PM +0100, Thomas Springer wrote:
> Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running
> gnujsp, reveals directory-listing of any webdir including wwwroot, it also
> reveals the script-source of certain (not all!) script-types, depending on
> webserver-config.
The actual hole is in JServ (a servlet engine for which GNUJSP was
mainly written) since it sets the servlet PathInfo to
[dirname]/[file] in the above example. The GNUJSP servlet then
incorrectly assumes that the request was made to
"http://site/[dirname]/[file]".
> I don't know enough about gnujsp to provide a solution - but it seems to be
> kind of a configuration flaw in standard-config of gnujsp.
There's a "denyuri" configuration option for GNUJSP but this is not a
good fix since
1. The same GNUJSP servlet can be called with multiple URIs (e.g.
/servlets/gnujsp and /servlet/gnujsp)
2. It does not seem to work with GNUJSP 1.0.0 and JServ at all when
there are servlet aliases
A more secure solution is the attached patch for GNUJSP 1.0.0 and
1.0.1 which forbids all direct requests to the GNUJSP servlet. Only
files which are mapped to the GNUJSP servlet (in most cases *.jsp)
can be accessed then.
--
Stefan Gybas
trustsec IT solutions GmbH
(8030104) /Stefan Gybas <gybas@trustsec.de>/(Ombruten)
Bilaga (text/plain) i text 8030106
Bilaga (text/plain) i text 8030107
8030106 2002-02-20 16:54 +0100 /18 rader/ Stefan Gybas <gybas@trustsec.de>
Importerad: 2002-02-20 18:19 av Brevbäraren
Extern mottagare: Thomas Springer <thomas.springer@tuev-sued.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: pab@heise.de
Mottagare: Bugtraq (import) <21057>
Bilaga (text/plain) till text 8030104
Ärende: Bilaga till: Re: gnujsp: dir- and script-disclosure
------------------------------------------------------------
diff -ur src.old/org/gjt/jsp/JspServlet.java
src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java Mon Oct 18 19:28:52 1999
+++ src/org/gjt/jsp/JspServlet.java Wed Feb 20 16:09:27 2002
@@ -262,6 +262,12 @@
*/
}
+ // Security check: Deny the request if the path is appended to
+ // the servlet URI -- gybas@trustsec.de
+ if
(request.getRequestURI().startsWith(request.getServletPath())) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ }
+
String jspURI = requestToJspURI (request);
if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
(8030106) /Stefan Gybas <gybas@trustsec.de>/(Ombruten)
8030107 2002-02-20 16:54 +0100 /19 rader/ Stefan Gybas <gybas@trustsec.de>
Importerad: 2002-02-20 18:19 av Brevbäraren
Extern mottagare: Thomas Springer <thomas.springer@tuev-sued.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: pab@heise.de
Mottagare: Bugtraq (import) <21058>
Bilaga (text/plain) till text 8030104
Ärende: Bilaga till: Re: gnujsp: dir- and script-disclosure
------------------------------------------------------------
Only in src: DIFF diff -ur src.old/org/gjt/jsp/JspServlet.java
src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java Thu Oct 5 09:28:00 2000
+++ src/org/gjt/jsp/JspServlet.java Wed Feb 20 16:41:16 2002
@@ -598,6 +598,12 @@
String jspURI)
throws IOException, ServletException
{
+ // Security check: Deny the request if the path is appended to
+ // the servlet URI -- gybas@trustsec.de
+ if
(request.getRequestURI().startsWith(request.getServletPath())) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ }
+
// Deny requests beginning with denyURI, if specified.
if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
(8030107) /Stefan Gybas <gybas@trustsec.de>/(Ombruten)