Bugtraq mailing list archives

IBM WebSphere JSP showcode vulnerability

From: stuart.mcclure () FOUNDSTONE COM (stuart.mcclure () FOUNDSTONE COM)
Date: Mon, 12 Jun 2000 01:22:38 -0400


                            Foundstone, Inc.
                       http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                    IBM WebSphere Application Server

----------------------------------------------------------------------
FS Advisory ID:         FS-061200-3-IBM

Release Date:           June 12, 2000

Product:                WebSphere Application Server

Vendor:                 IBM
                        http://www-4.ibm.com/software/webservers/
                        appserv/

Vendor Advisory:        http://www-4.ibm.com/software/webservers/
                        appserv/efix.html

Type:                   JSP show code vulnerability

Severity:               Low to Medium (depending on JSP coding
                        practices)

Author:                 Saumil Shah (saumil.shah () foundstone com)
                        Stuart McClure (stuart.mcclure () foundstone com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      Windows NT

Vulnerable versions:    All version up to and including 3.0.2

Foundstone advisory:    http://www.foundstone.com
----------------------------------------------------------------------

Description

        A show code vulnerability exists with IBM's WebSphere
        Application Server for NT allowing an attacker to view the
        source code of Java Server Pages (JSP) files.

Details

        The problem lies with the way WebSphere assigns handlers to
        specific file types. For example, files with the extensions
        .jsp are registered as Java Server Pages by WebSphere.

        WebSphere being case sensitive, interprets .jsp and .JSP to
        be two extensions. If a request for a .JSP file is made to
        WebSphere, it cannot find a handler for the .JSP extension
        and therefore, it uses the default handler, which is of
        type "text". Since the underlying file system is Windows NT,
        it does not differentiate between upper case and lower case
        filenames, and hence the requested file ends up being served
        up as plain text without being parsed or interpreted. On
        WebSphere running on Unix servers, it flags a "File not Found"
        error.

Proof of Concept

        Normally, JSP files are referred to in URLs using lower case
        extensions. For example:

        http://site.running.websphere/index.jsp

        By changing any letters in the extension (.jsp) to upper case,
        it is possible to obtain the unparsed source code of the JSP
        file. For the above example, the exploit would be to access
        the following URL:

        http://site.running.websphere/index.JSP

Solution

        Workaround

        none

        Fix

        An efix (APAR #: PQ38936) is available and will be posted at:
        http://www-4.ibm.com/software/webservers/appserv/efix.html

Credits
        We would like to thank Shreeraj Shah for drawing our attention
        to this vulnerability. We'd also like to thank IBM for their
        prompt and serious attention to this issue.

Disclaimer

        The information contained in this advisory is the copyright (C)
        2000 of Foundstone, Inc. and believed to be accurate at the time
        of printing, but no representation or warranty is given, express
        or implied, as to its accuracy or completeness. Neither the
        author nor the publisher accepts any liability whatsoever for
        any direct, indirect or conquential loss or damage arising in
        any way from any use of, or reliance placed on, this information
        for any purpose. This advisory may be redistributed provided that
        no fee is assigned and that the advisory is not modified in any
        way.

Current thread:

iMesh 1.02 vulnerability, (continued)
- - - iMesh 1.02 vulnerability Blue Panda (Jun 29)
    - Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
    - Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
  - Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
    - Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
  - Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
    - IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
    - Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
    - FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
    - RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
    - CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
    - SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
    - Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)

(Thread continues...)