JSP Source Code leakage vulnerability caused by multiple web application servers
Author: Zoomlion Chinese: Unknown: JSPER
Affected Systems:
BEA Systems Weblogic 4.5.1
-Microsoft Windows NT 4.0
BEA Systems Weblogic 4.0.4
-Microsoft Windows NT 4.0
BEA Systems Weblogic 3.1.8
-Microsoft Windows NT 4.0
IBM Websphere Application Server 3.0.21
-Sun Solaris 8.0
-Microsoft Windows NT 4.0
-Linux kernel 2.3.x
-Ibm aix 4.3
Unify eWave ServletExec 3.0
-Sun Solaris 8.0
-Microsoft Windows 98
-Microsoft Windows NT 4.0
-Microsoft Windows NT 2000
-Linux kernel 2.3.x
-Ibm aix 4.3.2
-HP HP-UX 11.4
Description:
--------------------------------------------------------------------------------
Many webservers are case sensitive, but the case-sensitive ing of suffixes is not properly processed. As long as the suffix of JSP or JHTML files is converted from small to uppercase in the URL, the Web server cannot correctly process the file suffix and display it as plain text. Attackers may obtain the source code of these programs.
<* Source: stuart.mcclure@FOUNDSTONE.COM *>
--------------------------------------------------------------------------------
Suggestion:
Unify eWave ServletExec:
Unify says the default installed Servlet will not leak source code
BEA Systems Weblogic:
Temporary solution:
Add handler to all possible case suffixes:
. Jsp file:
. Jsp. Jsp. jSp. jsP. JSp. jSP. JsP. JSP
. Jhtml file:
. Jhtml. Jhtml. jHtml. jhTml. jhtMl. jhtmL. JHtml. JhTml
. JhtMl. JhtmL. jHTml. jHtMl. jHtmL. jhTMl. jhTmL. jhtML
. JHTml. JHtMl. JHtmL. JhTMl. JhTmL. JhtML. jHTMl. jHTmL
. JHtML. jhTML. JHTMl. JHTmL. JhTML. jHTML. JHTML
The vendor has provided a patch for Version 3.1.8, which can be downloaded at the following address:
Ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zip
IBM WebSphere Application Server:
IBM has provided corresponding patches:
Http://www-4.ibm.com/software/webservers/appserv/efix.html
Updated on: 2000-07-12 from: Green Corps