JSP vulnerability Panorama (ii)

What are the vulnerabilities for JS Tomcat?

Tomcat 3.1 has exposure site path problems

Tomcat 3.1 is a software developed in the Apache software environment that supports JSP 1.1 and Servlets 2.2. It has a security problem when sending a nonexistent JSP request exposes the full path of the Web page on the Web site.

Example:
http://narco.guerrilla.sucks.co:8080/anything.jsp

The results show:
error:404
Location:/anything.jsp
JSP file "/appsrv2/jakarta-tomcat/webapps/root/anything.jsp" not Found

Solution: Upgrade to new version

Tomcat exposes JSP file contents

Files of the Java Server Pages (JSP) are registered with the ´.jsp´ extension on Tomcat, and Tomcat is file-case sensitive, ´.jsp´, and ´. Jsp´ is a different type of file name extension. If the submission has ´. Jsp´ 's link to Tomcat, and Tomcat could not find ´. Jsp´ will respond to the request with the default ´.text´ file type. Because uppercase and lowercase filenames are not sensitive in the NT system, the requested file is sent in the form of text.

If the "File not found" error message appears on the UNIX server.

How to implement code protection for Tomcat under Windows

Some versions of Tomcat have leaked source code vulnerabilities, if you call the JSP page in the browser to the file suffix to uppercase, the JSP file source code will be fully exported to the browser (perhaps there is nothing in the browser window, then you only need to view the HTML source file can be found). So, is the source code of the website will be exposed on the internet?
Do not worry, the solution is very simple, the combination of all kinds of suffixes written to tomcat_homeconf Web.xml can be, so that Tomcat will be different suffix name JSP treated separately, will not reveal the code.


Jsp
*.jsp


Jsp
*.jsp


? lt;servlet-name>jsp
*.jsp


Jsp
*.jsp


Jsp
*. Jsp


Jsp
*. Jsp


Jsp
*. Jsp


Jsp
*. Jsp


What are the vulnerabilities of Allair jrun vulnerabilities?

Allair JRUN Illegal Read Web-inf vulnerability
There is a serious security vulnerability in the Allaire version of JRUN Server 2.3. It allows an attacker to view the Web-inf directory in the JRun 3.0 server.
If a user submits a URL request by appending a "/" to make the URL a malformed URL, then all subdirectories under Web-inf will be exposed. An attacker who exploits this vulnerability would be able to remotely obtain read access to all files in the Web-inf directory on the target host system.
For example, using the following URL will expose all files under Web-inf:
http://site.running.jrun:8100//WEB-INF/

Affected Systems: Allaire JRun 3.0

Solution: Download and install the Patch:

Allaire Patch Jr233p_asb00_28_29
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.zip
Windows 95/98/nt/2000 and Windows NT Alpha
Allaire Patch Jr233p_asb00_28_29tar
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.tar.gz
Unix/linux Patch-gnu Gzip/tar

Allaire JRUN 2.3 View Any file vulnerabilities

A multiple display code vulnerability exists on the Allaire JRUN server 2.3. This vulnerability allows an attacker to view the source code of any file in the root directory on the WEB server.
JRun 2.3 uses Java Servlets to parse various types of pages (for example, HTML, JSP, and so on). Based on rules.properties and servlets.properties file settings, any servlet may be invoked using the URL prefix "/servlet/".
It may use the Jrun ssifilter servlet to retrieve arbitrary files on the target system. The following 2 examples show URLs that can be used to retrieve arbitrary files:

http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../t est.jsp
Http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../boot.ini
Http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../. ./.. /.. /.. /.. /winnt/repair/sam
http://jrun:8000/servlet/ssifilter/../../test.jsp
Http://jrun:8000/servlet/ssifilter/../../../../../../../boot.ini
Http://jrun:8000/servlet/ssifilter/../../../../../../../winnt/repair/sam._

Note: Assume that JRun is running on the host "JRun", Port 8000.

Affected systems: Allaire JRun 2.3.x

Solution: Download and install the Patch:

Allaire Patch Jr233p_asb00_28_29
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.zip
Windows 95/98/nt/2000 and Windows NT Alpha
Allaire Patch Jr233p_asb00_28_29tar
Http://download.allaire.com/jrun/jr233p_ASB00_28_29.tar.gz
Unix/linux Patch-gnu Gzip/tar

adjourned