Bugtraq mailing list archives
Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")
From: Wang Yun <wangyun188 () hotmail com>
Date: 5 Feb 2004 19:12:54 -0000
TOPIC: ====== Apache + Resin Reveals JSP Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/") Description: ============ Security vulnerability has been found in Windows NT/2000 Systems that have Apache 1.3.29 + Resin 2.1.12 installed. The vulnerability allows remote users view script Source Code And Access files in the Forbidden Directory. Exploits: ========= http://apache/index.jsp%20 It is possible to cause the Apache server to send back the content of index.jsp. http://apache/WEB-INF../ It is possible to cause the Apache server to send back the list of "/WEB-INF/" Directory. Analyze: ======== 1.Apache think "/WEB-INF../" unequal to "/WEB-INF/" So find this Directory by itself. 2."/WEB-INF/" Directory not Forbidden in Apache Config files. 3."d:\resin\doc\>cd WEB-INF.." legit in Windows Systems. Sorry for my poor english. lovehacker China CHINESE: ======== 在Windows上安装Apache 和 Resin来支持JSP或者Servlet存在两个问题。首先可能会导致泄露JSP文件的源代码,同时还可能允许用户穿过WEB-INF目录访问Servlet及JavaBean。暴露JSP文件源代码的具体方法是在JSP文件后跟随%20也就是UNICODE编码后的空格,而访问WEB-INF目录下文件的具体方法是在WEB-INF后加两个或者更多的.。 入侵者结合以上两个问题可以轻松的获得数据库密码等重要信息,首先利用%20获得JSP文件的源代码,根据源代码了解到JAVABEAN的文件名称,例如通过<%@ page import="com.my.db.Database"%>我们就可以知道JAVABEAN的名称为:Database.class,而它所在的目录是:/WEB-INF/CLASSES/COM/MY/DB/。然后我们再利用第二种方法对其进行访问即可获得该文件,进 4892;JAVA反编译后我们就可以看到其中的重要信息了。 为什么会出现这样的问题呢?其实和我发现的第一个APACHE漏洞(利用%5c访问WEB目录外文件)类似,都是由于APACHE是在UNIX下开发后移植到WINDOWS上来的,*NIX不支持"cd /usr..",而在Windows下却是支持的。当用户请求/WEB-INF../时APACHE并不认为应该将它交给RESIN处理,而是自己找这个目录,由于WINDOWS支持在目录名后加.所以APACHE成功 0340;找到了它,同时由于在APACHE的配置中并没有要禁止对该目录下的文件进行访问,所以APACHE读出了文件的内容。 小弟不材,如果有不正确的地方万望指出,祝大家2004多多发财! lovehacker
Current thread:
- Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Wang Yun (Feb 09)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Dave Weis (Feb 10)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Oliver Schneider (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") André Malo (Feb 13)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Alun Jones (Feb 13)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") J. (Feb 17)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Alun Jones (Feb 17)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 19)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Dave Weis (Feb 10)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Axel Beckert - ecos gmbh (Feb 16)