[19346] in bugtraq
Re: Patch for Potential Vulnerability in the execution of JSPs
daemon@ATHENA.MIT.EDU (Alex Yiu)
Thu Feb 22 21:59:21 2001
Message-Id: <20010222210122.691.qmail@securityfocus.com>
Date: Thu, 22 Feb 2001 21:01:22 -0000
Reply-To: ayiu@US.ORACLE.COM
From: Alex Yiu <ayiu@US.ORACLE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi, Jon,
(This message was sent to jon@latchkey.com,
security@apache.org, secalert_us@oracle.com)
Regarding to Jon's posting at:
http://www.securityfocus.com/templates/archive.pik
e?list=1&mid=162712
I would like to provide more information.
Basically, there are two factors in the security
issue in OracleJSP 1.1.0 (running on Apache/JServ)
bundled in Oracle 8.1.7:
(1) OracleJSP 1.1.0 itself:
Although OracleJSP 1.1.0 handles URL like:
http://HOST/a.jsp/../../../../../../b.jsp
http://HOST/../b.jsp
correctly (without security issue in these cases),
it does not handle URL like:
http://HOST/a.jsp//..//..//..//..//..//../b.jsp
correctly on Windows NT.
This has been fixed in OJSP 1.1.2.0.
(2) Apache/JServ:
http://HOST/servlets/a.jsp
("/servlets" is the path mounted with a servlet
zone. .jsp is associated with a servlet handling
JSP requests. )
The getPathTranslated() returned a misleading
non-null value, which is "/servlets/a.jsp" (or
"c:\servlets\a.jsp" on NT)
This behavior will lead most of JSP engines to
execute a unexpected jsp, if such a jsp exists.
The Apache/JServ maintainence people within Oracle
are fixing this problem also.
One more issue: it's about Tomcat and Jasper. FYI,
it seems to me that Tomcat 3.1 final release has
security issues on URL cases like these:
http://HOST/a.jsp/../../../../../../b.jsp
http://HOST/../b.jsp
http://HOST/a.jsp//..//..//..//..//..//../b.jsp
I have not checked with Tomcat 3.2 or 4.0. It may
have been fixed.
Regards,
Alex Yiu
** The statements and opinions expressed here are
my own and **
** do not necessarily represent those of Oracle
Corporation. **
