Bugtraq mailing list archives
Re: Patch for Potential Vulnerability in the execution of JSPs outside doc_root
From: Alex Yiu <ayiu () US ORACLE COM>
Date: Thu, 22 Feb 2001 21:01:22 -0000
Hi, Jon, (This message was sent to jon () latchkey com, security () apache org, secalert_us () oracle com) Regarding to Jon's posting at: http://www.securityfocus.com/templates/archive.pik e?list=1&mid=162712 I would like to provide more information. Basically, there are two factors in the security issue in OracleJSP 1.1.0 (running on Apache/JServ) bundled in Oracle 8.1.7: (1) OracleJSP 1.1.0 itself: Although OracleJSP 1.1.0 handles URL like: http://HOST/a.jsp/../../../../../../b.jsp http://HOST/../b.jsp correctly (without security issue in these cases), it does not handle URL like: http://HOST/a.jsp//..//..//..//..//..//../b.jsp correctly on Windows NT. This has been fixed in OJSP 1.1.2.0. (2) Apache/JServ: http://HOST/servlets/a.jsp ("/servlets" is the path mounted with a servlet zone. .jsp is associated with a servlet handling JSP requests. ) The getPathTranslated() returned a misleading non-null value, which is "/servlets/a.jsp" (or "c:\servlets\a.jsp" on NT) This behavior will lead most of JSP engines to execute a unexpected jsp, if such a jsp exists. The Apache/JServ maintainence people within Oracle are fixing this problem also. One more issue: it's about Tomcat and Jasper. FYI, it seems to me that Tomcat 3.1 final release has security issues on URL cases like these: http://HOST/a.jsp/../../../../../../b.jsp http://HOST/../b.jsp http://HOST/a.jsp//..//..//..//..//..//../b.jsp I have not checked with Tomcat 3.2 or 4.0. It may have been fixed. Regards, Alex Yiu ** The statements and opinions expressed here are my own and ** ** do not necessarily represent those of Oracle Corporation. **
Current thread:
- Patch for Potential Vulnerability in the execution of JSPs outside doc_root Oracle Security Alerts (Feb 12)
- <Possible follow-ups>
- Re: Patch for Potential Vulnerability in the execution of JSPs outside doc_root Jon Stevens (Feb 13)
- Re: Patch for Potential Vulnerability in the execution of JSPs outside doc_root Alex Yiu (Feb 22)