What is the vulnerability in Apache that exposes and overwrites arbitrary files?
There is a mod_rewrite module in Apache1.2 and later versions, which is used to specify the absolute path mapped by the special URLS on the Network Server File System. If an rewrite rule containing correct parameters is transmitted, attackers can view arbitrary files on the target host.
The following is an example of rewriting rule commands (the first line only contains vulnerabilities ):
RewriteRule/test/(. *)/usr/local/data/test-stuff/$1
RewriteRule/more-icons/(. *)/icons/$1
RewriteRule/go/(. *) http://www.apacheweek.com/#1
Affected Systems:
1) Apache 1.3.12
2) Apache 1.3.11win32
3) Apache 1.2.x
Unaffected systems: Apache 1.3.13
How can I expose JSP source code files by adding special characters to an HTTP request?
Unify eWave ServletExec is a Java/Java Servlet Engine plug-in for WEB servers, such as Microsoft IIS, Apache, and Netscape Enterprise Servers.
When one of the following characters is added to an HTTP request, ServletExec returns the JSP source code file.
.
% 2E
+
% 2B
\
% 5C
% 20
% 00
Successful exploitation of this vulnerability will result in leakage of the source code of the specified JSP file. For example, you can use any of the following URL requests to output the source code of the specified JSP file:
1) http: // target/directory/jsp/file. jsp.
2) http: // target/directory/jsp/file. jsp % 2E
3) http: // target/directory/jsp/file. jsp +
4) http: // target/directory/jsp/file. jsp % 2B
5) http: // target/directory/jsp/file. jsp \
6) http: // target/directory/jsp/file. jsp % 5C
7) http: // target/directory/jsp/file. jsp % 20
8) http: // target/directory/jsp/file. jsp % 00
Affected Systems:
1) Unify eWave ServletExec 3.0c
2) Sun Solaris 8.0
3) Microsoft Windows 98
4) Microsoft Windows NT 4.0
5) Microsoft Windows NT 2000
6) Linux kernel 2.3.x
7) ibm aix 4.3.2
8) HP HP-UX 11.4
Solution:
If no static page or image is used, you can configure a default servlet and map "/" to this default servlet. In this way, when a URL not mapped to a servlet is received, the default servlet will be called. In this case, the default servlet can only return "files not found ". If a static page or image is used, you can still configure it like this, but you need to have this default servlet process requests for valid static pages and images.
Another possibility is to map *. jsp +, *. jsp. And *. jsp \ To a servlet, which only returns "file not found ". For situations such as *. jsp % 00 and *. jsp % 20, the ing should be input without encoding. For example, for *. jsp % 20 ing, enter "*. jsp ". Note that % 20 is converted into a space character.
What are Tomcat vulnerabilities?
Tomcat 3.1 exposed website Path Problems
Tomcat 3.1 is a software developed in the Apache software environment that supports JSP 1.1 and Servlets 2.2. It has a security problem. When a non-existent jsp request is sent, the full path of the web page on the website is exposed.
Example:
Http://narco.guerrilla.sucks.co: 8080/anything. jsp
Result:
Error: 404
Location:/anything. jsp
JSP file "/javasrv2/jakarta-tomcat/webapps/ROOT/anything. jsp" not found
Solution: upgrade to the latest version.
Tomcat exposes JSP file content
Java Server Pages (JSP) files are '. jsp 'The extension is registered on Tomcat. Tomcat is case sensitive to file names ,'. jsp 'and '. JSPs are different types of file extensions. If you submit a link with '. JSP' to Tomcat, and Tomcat cannot find '. JSP', it will respond to the request with the default '. text' file type. In the NT System, large and lowercase file names are non-sensitive, so the requested file will be sent as text.
If the error message "file not found" is displayed on the UNIX server.
How to Implement code protection for Tomcat in windows
Some versions of Tomcat have the source code leakage vulnerability. If you change the file suffix to uppercase when calling the JSP page in a browser, the source code of this JSP file will be completely output to the browser (maybe there is nothing in the browser window, you only need to view the HTML source file to find it ). In this way, will the source code of the website be exposed on the Internet?
Don't worry. The solution is simple. Write all the combinations of various suffixes to atat_home \ conf \ web. in xml, Tomcat will treat JSP with different extension names separately, and the code will not be leaked.
Jsp
*. Jsp
JsP
*. JsP
? Lt; servlet-name> jSp
*. JSp
JSP
*. JSP
Jsp
*. Jsp
JsP
*. JsP
JSp
*. JSp
JSP
*. JSP
What are the Allair Jrun vulnerabilities?
Illegal WEB-INF read vulnerability in Allair JRUN
A serious security vulnerability exists in Allaire JRUN server 2.3. It allows an attacker to view the WEB-INF directory on the JRun 3.0 server.
If a user makes a URL malformed by appending a "/" when submitting a URL request, all subdirectories under the WEB-INF will be exposed. Attackers can exploit this vulnerability to gain remote access to all files in the WEB-INF directory of the target host system.
For example, using the following URL exposes all files under the WEB-INF:
Http://site.running.jrun: 8100 // WEB-INF/
Affected System: Allaire JRun 3.0
Solution: Download and install the patch:
Allaire patch jr233p_ASB00_28_29
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.zip
Windows 95/98/NT/2000 and Windows NT Alpha
Allaire patch jr233p_ASB00_28_29tar
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.tar.gz
UNIX/Linux patch-GNU gzip/tar
Allaire JRUN 2.3 Arbitrary File Viewing Vulnerability
The JRUN server 2.3 of Allaire has the multiple display code vulnerability. This vulnerability allows attackers to view the source code of arbitrary files in the root directory on the WEB server.
JRun 2.3 uses Java Servlets to parse various types of pages (such as HTML and JSP ). Based on the File Settings of rules. properties and servlets. properties, you may use the URL prefix "/servlet/" to call any servlet.
It may use the SSIFilter servlet of Jrun to retrieve arbitrary files on the target system. The following two examples show the URLs that can be used to retrieve arbitrary files:
Http: // jrun: 8000/servlet/com. livesoftware. jrun. plugins. ssi. SSIFilter/.../../t est. jsp
Http: // jrun: 8000/servlet/com. livesoftware. jrun. plugins. ssi. SSIFilter /.. /.. /.. /.. /.. /.. /.. /boot. ini
Http: // jrun: 8000/servlet/com. livesoftware. jrun. plugins. ssi. SSIFilter /.. /.. /.. /.. /.. /.. /.. /winnt/repair/sam
Http: // jrun: 8000/servlet/ssifilter/.../../test. jsp
Http: // jrun: 8000/servlet/ssifilter/.../../boot. ini
Http: // jrun: 8000/servlet/ssifilter/.../../winnt/repair/sam ._
Note: Assume that JRun runs on the host "jrun" and port 8000.
Affected System: Allaire JRun 2.3.x
Solution: Download and install the patch:
Allaire patch jr233p_ASB00_28_29
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.zip
Windows 95/98/NT/2000 and Windows NT Alpha
Allaire patch jr233p_ASB00_28_29tar
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.tar.gz
UNIX/Linux patch-GNU gzip/tar
Allaire JRUN 2.3 Remote Command Execution Vulnerability
Allaire's JRUN server 2.3 has a security vulnerability that allows remote users to compile/execute arbitrary files on the WEB server as JSP code. If the target file of the URL request uses the prefix "/servlet/", the JSP interpretation execution function is activated. When "../" is used in the target file path requested by the user, it is possible to access files other than the root directory on the WEB server. Using this vulnerability to request a file generated by the user input on the target host will seriously threaten the security of the target host system.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
