I. source generation region exposure
1. adding a special tail signature causes the JSP source code to be exposed in JSP, which also has issues similar to ASP vulnerabilities, for example, IBM WebSphere Application Server 3.0.21, BEA Systems WebLogic 4.5.1, tomcat3.1, and other JSP file tail large volume vulnerabilities; JSP file with special characters such as resin1.2 % 82 ,.. /vulnerabilities; % 2e and + vulnerabilities of ServletExec.
Example: for example, in the browser of Tomcat 8080, http: // localhost:/INDE. JSP, which can be used to parse rows normally, but if INDE. JSP is changed to INDE. JSP or INDE. JSP and so on. You will find that the browser will prompt you to download this file. After the download, the source code will be able to see a dry job.
Cause: JSP is sensitive to the size of the JSP file. Tomcat will only use the JSP file at the end of the small-sized JSP file as a normal JSP file to compile the line, if it is too large, it will cause Tomcat to change the index. JSP is a file that can be downloaded. The Weblogic and webshpere versions of earlier versions all have this problem. Currently, these companies have released new versions or released Dingding to solve this problem.
Solution Method: Ding ding is posted on the website of the server's website. Because the author used ASP for a while, many IIS vulnerabilities have been detected, its effective solution is to remove unnecessary mappings, such as HTR and htx. In JSP, we can test the IIS solution in the same way, the difference is not to remove but to add ing. The method is to add some ing in the server settings, for example. JSP ,. JSP ,. JSP % 2e and so on, map them to a self-built servlet, the only function of this servlet is to request a token to a custom outgoing plane similar to 404 Not found. Different servers have different settings, please refer to the corresponding document. The second solution can be used when there is no ding.
2. inserting special strings causes JSP Source Code exposure
There is also a vulnerability caused by inserting special strings, BEA WebLogic Enterprise 5.1 file path header is the "/file/" vulnerability, IBM WebSphere 3.0.2 "/servlet/file/" File Header Vulnerability, and so on.
Example: in IBM WebSphere 3.0.2, if the URL of a file is "login. JSP ": http://site.running.websphere/login.jsp, then zookeeper http: // site. running. webSphere/servlet/file/login. JSP will see the source code of this file.
Cause: for IBM WebSphere 3.0.2, different servlets are used to process different faces. If a file requested is not managed, webSphere uses an accepted servlet listener. If the file path starts with "/servlet/file/", the reserved servlet will be used by the requested file and will not be analyzed or hidden..
Solution: Upload the latest ding on the website of the server's website.
3. url may cause file JSP Source Code exposure
We know that most JSP applications have a WEB-INF in their front view, which typically stores class files after ans have been written, if you do not set the permission for this object to be normal, all the classes will be exposed.
For example, if your website uses a web server in the form of apache1.3.12 and a third-party JSP host, you can configure the default settings for apache1.3.12, if the program is running at http://site.running.websphere/login.jsp, you only need to modify the program http:// site. running. webSphere/WEB-INF/all the class files under this project and under this project can be viewed as a two-pronged program, or can be downloaded to the machine.
Some people may say that the class has been broken, and it doesn't matter if it is down, however, there are also a lot of examples of class anti-Program for Java generation. Some people have used the Jad runtime to reverse engineer the class file in the lower part, it is almost the same as the original Java file, and the data name has not changed. Even more odd, you can still rewrite the class file for normal use.
The biggest security question is that the author of the website started to write the metadata into the Java token, now, the anti-bot team can see important information about the data source. Through the metadata Terminal interface function, you can import the information to your database. All the information is in his/her hands. Note: If the user can obtain the user name and password of SQL server by using the token, the user can execute any DOS command in the input database, as shown in C: /file, build, and delete objects, so the entire Windows system is not safe.
Solution Method: An Effective Way to Solve ASP vulnerabilities before IIS is to place an ASP program ticket, the permission can only be obtained from the primary row but not from the primary row. In the JSP environment, the problem can be solved through the environment of the server. Simply put, it is to set some of the more important items such as Web-INF and classes to the permission of the upper-right side of the question. If the permission is not allowed, only the allowed rows are allowed. Take Apache as an example, you can add a destination WEB-INF In the httpd. conf file and set the deny from all and so on.
In other words, it is more difficult to solve this problem. In every region, you need to write a script to initiate a script, such as index.htm. In this case, the program will return the file to the user rather than the other one. Recommended method.
What's more important is the storage of passwords. In JSP, you can upload a property file, which is placed under the WINNT system, and then use bean to retrieve the resource information, in this way, the source database knows that the resource information exists in winnt. property file? I love a, but I am also very anxious to ask it, so even if the source code is known as the token is safe.
4. I believe everyone is familiar with the problem of path exposure caused by the absence of files, because there are also many similar problems in Microsoft IIS. For example, *. IDC in Microsoft IIS exposes the bypass vulnerability. Similar issues are now in the JSP environment. This vulnerability exposes the hard drive address of the web program, when combined with other vulnerabilities, the attack is more dangerous than other vulnerabilities.
Example: in a specific server environment, ask a non-existent JSP file such as http: // localhost: 8080/fdasfas. JSP will return Java. servlet. servleteception: Java. io. filenotfoundeception: C:/web/APP/fadssad. JSP (???????????) In this way, we can know that the website is under the C:/web/APP category, and most people may not care about it, however, it is helpful for a hacker.
Cause: when the relevant servlet in the JSP browser is normally handled, this issue does not occur.
Solution: the first is the latest release. If the Web server does not have this release, you can find the JSP line ing Servlet File of the server host (which is at the end of the class), and use the Jad connector to anti-leech, find the Exception Handling Method in the source code after the anti-virus operation, and then inject all the processing parts in the method into the exception handling method, this problem is solved when the request is directed to a custom outgoing response.
Ii. Producer programs
This vulnerability is caused by security issues because the URL address can be used to access commands and programs on any server in the browser. For example, Allaire JRun 2.3 has the arbitrary command vulnerability on the remote end, and iPlanet Web Server 4.x has a remote overflow vulnerability.
Example: add the following URL address http: // JRun: 2.3/servlet/JSP/on the JRun server 8000 of Allaire /.. /.. /path/sample.txt can be used to access files other than the web contents. If it is an EXE file, it may also cause the upload line.
Cause: If the header "/servlet/" is used in the target file requested by the URL, the JSP solution cannot be changed. When "../" is used in the path of the target file requested by the Web server, it is possible to access files other than the root file on the Web server. The target host uses this vulnerability to access a file generated by the attacker, so that the attacker can regain the security of the target host system.
Solution: Install the latest ding.
The reason for turning this old post out is that Tomcat 5.0.19 windows has a big problem of exposing the source code. If you are interested, please check it out, if it is true, then the Tomcat team fell in the old place again.