Vulnerability Development mailing list archives
Where does the hole lie?
From: Steve Maks <smaks () verisign com>
Date: Thu, 18 Apr 2002 18:32:59 -0500
While pen-testing a client's webserver with WebSphere in place, I came across a bug and I'm not sure whether the servlet is to blame or rather some part of WebSphere. The case is this: After authenticating to the site, the user is sent to http://site/servlet/App?target=/index.jsp. If you change the target and ../ your way back up and then down again, accessing a file that exists such as /etc/passwd gives the following error: Error 403 An error has occured while processing request:http://site/ErrorReporter Message: File not found: /../../../../../../etc/passwd Target Servlet: file StackTrace: ---------------------------------------------------------------------------- ---- Root Error-1: File not found: /../../../../../../etc/passwd com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: /../../../../../../etc/passwd --snip-- If I give it something that doesn't exist, such as /etc/passw, I get your standard 404. However, if I use the poision null byte trick and request /etc/passwd%00.jsp (only works with the .jsp extension), I receive my file. Consequently, a /etc%00.jsp and doing a view source will let me browse directories. My instinct is that this happens because the servlet doesn't check for a null byte in the string, but I thought it was worthwhile to mention. Thanks for any input. Steve
Current thread:
- Where does the hole lie? Steve Maks (Apr 18)