Adding special characters causes exposure of JSP source code files

Server Vulnerabilities are the origin of security issues, and most of the attacks on websites by hackers start from finding vulnerabilities of the other party. Therefore, website administrators can take appropriate measures to prevent external attacks only by understanding their vulnerabilities. The following describes common vulnerabilities in some servers, including Web servers and JSP servers.

What is the vulnerability in Apache that exposes and overwrites arbitrary files?

There is a mod_rewrite module in Apache1.2 and later versions, which is used to specify the absolute path mapped by the special URLS on the Network Server File System. If an rewrite rule containing correct parameters is transmitted, attackers can view arbitrary files on the target host.

The following example shows that the first line of the rewrite rule command only contains vulnerabilities ):
RewriteRule/test/(. *)/usr/local/data/test-stuff/$1
RewriteRule/more-icons/(. *)/icons/$1
RewriteRule/go/(. *) $1 "target = _ blank> http://www.apacheweek.com/#1

Affected Systems:
1) Apache 1.3.12
2) Apache 1.3.11win32
3) Apache 1.2.x

Unaffected systems: Apache 1.3.13

How can I expose JSP source code files by adding special characters to an HTTP request?

Unify eWave ServletExec is a Java/Java Servlet Engine plug-in for WEB servers, such as Microsoft IIS, Apache, and Netscape Enterprise Servers.

When one of the following characters is added to an HTTP request, ServletExec returns the JSP source code file.

Successful exploitation of this vulnerability will result in leakage of the source code of the specified JSP file. For example, you can use any of the following URL requests to output the specified JSP Source Code:
1 http: // target/directory/jsp/file. jsp.
2) http: // target/directory/jsp/file. jsp % 2E
3 http: // target/directory/jsp/file. jsp +
4 http: // target/directory/jsp/file. jsp % 2B
5) http: // target/directory/jsp/file. jsp
6) http: // target/directory/jsp/file. jsp % 5C
7) http: // target/directory/jsp/file. jsp % 20
8) http: // target/directory/jsp/file. jsp % 00

Affected Systems:
1) Unify eWave ServletExec 3.0c
2) Sun Solaris 8.0
3) Microsoft Windows 98
4) Microsoft Windows NT 4.0
5) Microsoft Windows NT 2000
6) Linux kernel 2.3.x
7) ibm aix 4.3.2
8) HP HP-UX 11.4

Solution:

If no static page or image is used, you can configure a default servlet and map "/" to this default servlet. In this way, when a URL not mapped to a servlet is received, the default servlet will be called. In this case, the default servlet can only return "files not found ". If a static page or image is used, you can still configure it like this, but you need to have this default servlet process requests for valid static pages and images.

Another possibility is to map *. jsp +, *. jsp. And *. jsp \ To a servlet, which only returns "file not found ". For situations such as *. jsp % 00 and *. jsp % 20, the ing should be input without encoding. For example, for *. jsp % 20 ing, enter "*. jsp ". Note that % 20 is converted into a space character.
What are Tomcat vulnerabilities?
Tomcat 3.1 exposed website Path Problems
Tomcat 3.1 is a software developed in the Apache software environment that supports JSP 1.1 and Servlets 2.2. It has a security problem. When a non-existent jsp request is sent, the full path of the web page on the website is exposed.

Example: http://narco.guerrilla.sucks.co: 8080/anything. jsp
Result:
Error: 404
Location:/anything. jsp
JSP file "/javasrv2/jakarta-tomcat/webapps/ROOT/anything. jsp" not found
Solution: Upgrade Tomcat to the latest version to expose JSP file content

Java Server Pages (JSP) files are ''. the jsp ''extension is registered on Tomcat. Tomcat is case sensitive to file names ,''. jsp ''and ''. JSPs ''are different types of file extensions. If ''. JSP ''is linked to Tomcat, while Tomcat cannot find ''. JSP ''will use the default ''. the text ''file type to respond to the request. In the NT System, large and lowercase file names are non-sensitive, so the requested file will be sent as text. If the error message "file not found" is displayed on the UNIX server. How to Implement code protection for Tomcat in windows

Some versions of Tomcat have the source code leakage vulnerability. If you change the file suffix to uppercase when calling the JSP page in a browser, the source code of this JSP file will be completely output to the browser, maybe there is nothing in the browser window, then you only need to view the HTML source file to find ). In this way, will the source code of the website be exposed on the Internet?

Don't worry. The solution is simple. Write all the combinations of various suffixes to atat_home \ conf \ web. in xml, Tomcat will treat JSP with different extension names separately, and the code will not be leaked.

1. Analysis of the best solution example of JSP IIS
2. Can JSP meet the Web boom?
3. Multi-thread synchronization in Servlet and JSP
4. Is JSP a major failure in the Development of Java?
5. JSP blocks the JSF light like a dark cloud