[19190] in bugtraq
Re: Patch for Potential Vulnerability in the execution of JSPs
daemon@ATHENA.MIT.EDU (Jon Stevens)
Tue Feb 13 17:42:05 2001
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Message-ID: <B6ADF767.227FB%jon@latchkey.com>
Date: Mon, 12 Feb 2001 20:26:15 -0800
Reply-To: Jon Stevens <jon@LATCHKEY.COM>
From: Jon Stevens <jon@LATCHKEY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010212201633.A10825@manojk.users.mindspring.com>
Hi,
I'm the person responsible for maintaining Apache JServ (which is actually a
product that is not being developed further as a result of being deprecated
in favor of Tomcat and Jasper) and I like to just clarify that this problem
is strictly within Oracle's product and not within Apache JServ as Apache
JServ does not include any extensions to allow it to run JSP's. In other
words, this is Oracle's security hole.
I would also appreciate it if Oracle would be more clear with this respect
in the future and I would hope that if a security hole has been reported to
Oracle or anyone else that they would notify security@apache.org directly so
that the matter can be resolved quickly.
thanks,
-jon stevens
jon@apache.org
> Patch for Potential Vulnerability in the execution of JSPs outside
> doc_root
>
> Description of the problem
> A potential security vulnerability has been discovered in Oracle JSP
> releases 1.0.x through 1.1.1 (in Apache/Jserv). This vulnerability
> permits access to and execution of unintended JSP files outside the
> doc_root in Apache/Jserv. For example, accessing
> http://HOST/a.jsp//..//..//..//..//..//../b.jsp will execute b.jsp
> outside the doc_root instead of a.jsp if there is a b.jsp file in the
> matching directory.
>
> Products Affected
> Oracle8i Release 8.1.7, iAS Release 1.0.2
> Oracle JSP, Apache/JServ Releases 1.0.x - 1.1.1
>
> Platforms Affected
> Windows NT
>
> Likelihood of Occurrence
> Whenever //.. is present in the URI while using Apache/JServ.
>
> Solution
> Upgrade to OJSP Release 1.1.2.0.0 which is available on Oracle
> Technology Network's OJSP web site.
>
> Credits
> Oracle Corporation wishes to thank Georgi Guninski for discovering this
> vulnerability and promptly bringing it to Oracle's attention.
--
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/> && <http://java.apache.org/turbine/>
