JS Overview: Server Vulnerabilities are the origin of security problems, hackers on the site is mostly from the search for the other side of the vulnerability began. Therefore, only by understanding their own vulnerabilities, site managers can take appropriate countermeasures to prevent foreign attacks. Here are some common vulnerabilities for servers, including Web servers and JSP servers.
What's wrong with Apache leaking any rewritten file vulnerabilities?
There is a mod_rewrite module in Apache1.2 and later versions that specifies the absolute path that special URLs map on the network server file system. If you pass an overriding rule that contains the correct expression parameters, an attacker can view arbitrary files on the target host.
The following examples illustrate the overriding rule directives (where the first line contains only the vulnerabilities):
How do I resolve to expose a JSP source code file by adding special characters to an HTTP request?
Unify Ewave Servletexec is a Java/java Servlet engine plug-in that is used primarily for WEB servers, such as Microsoft IIS, Apache, Netscape Enterprise servers, and so on.
When one of the following characters is added to an HTTP request, SERVLETEXEC returns the JSP source code file.
.
%2e
+
%2b
%5c
%20
%00
A successful exploit would result in the disclosure of the source code for the specified JSP file, for example: using any of the following URL requests to output the source of the specified JSP file:
1) Unify Ewave servletexec 3.0c
2) Sun Solaris 8.0
3) Microsoft Windows 98
4) Microsoft Windows NT 4.0
5) Microsoft Windows NT 2000
6) Linux Kernel 2.3.x
7 IBM AIX 4.3.2
8 HP-UX 11.4
Solution:
If you do not use any static pages or images, you can configure a default servlet and map "/" to this default servlet. This default servlet is invoked when a URL that is not mapped to a servlet is received. In this case, the default servlet can simply return "files not found". If you use a static page or image, you can still make such a configuration, but you need to have this default servlet handle requests for legitimate static pages and images.
Another possibility is to map *.jsp+, *.jsp. and *.jsp to a servlet that simply returns "files not found." For cases such as *.jsp%00 and *.jsp%20, mappings should be entered in an encoded form. For example, you should enter "*.jsp" for *.jsp%20 mappings. Note that the%20 is converted to a space character.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
