[23130] in bugtraq
Re: IBM AS/400 HTTP Server '/' attack
daemon@ATHENA.MIT.EDU (Mike Turk)
Tue Nov 13 19:08:37 2001
Date: 12 Nov 2001 20:07:32 -0000
Message-ID: <20011112200732.4711.qmail@mail.securityfoucs.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Mike Turk <mcturk@us.ibm.com>
To: bugtraq@securityfocus.com
Mailer: SecurityFocus
In-Reply-To: <3BEA999D.4070304@yahoo.com>
It is possible through HTTP server and servlet engine configurations
that HTML and/or JSP source could be view at the browser.
HTTP Server
There are configuration settings that could be made where JSP source could
be displayed in the browser, such as placing JSPs in the document root of
the HTTP server. Also, in regards to html pages, if you use a PASS directive
that allow all file types to be served
(e.g. Pass /MYsamples/* /QIBM/UserData/MyHtml/*) then you could see the HTML
source. If the directive is qualified by file type
(e.g. Pass /MYsamples/*.html /QIBM/UserData/MyHtml/*) you can prevent
the request ending with '/' from being serviced.
Servlet Engine:
The problem description does not mention what Servlet engine/JSP processor
that is being used. If it is WebSphere, if you have a file serving
servlet in your web application, it will try to service the request for
http://www.foo.com/getsource.jsp/. Like the PASS example above, if you
limit the types of requests to be served my the simple file servlet by file type,
you can prevent the source from being displayed. To do so:
1. select the simple file servlet for the web app.
2. modify the URI in the servlet web path list.
a) start by modifying the existing URI. It may look something like
default_host/webapp/myapp/
b) change to something like default_host/webapp/myapp/*.html
3. Continue adding URIs for other file types (*.gif, etc...)
4. Click Apply
5. Restart the web application
>
> IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
>that will show the source code of the page -- such as an .html or .jsp
>page -- by attaching an '/' to the end of a URL.
>
>Compare these two URL's:
>
>http://www.foo.com/getsource.jsp
>
>http://www.foo.com/getsource.jsp/
>
>The later URL will deliver the jsp source to the browser.
>
>I reported this problem to IBM approximately 9 or 10 months ago.
>
>I was told it was a bug but not a security vulnerability. When I
>explained that Microsoft had a similar bug (asp dot bug) they told me
>that "they did not share the same source code base." I replied to this
>ludicrous reply: "Isn't it possible that since you developed servers
>that function in a similar manner you have the same logical bug?" To
>this they were speechless. I imagine that a .jsp page could contain user
>names and passwords if they are accessing databases, especially if these
>databases are on the network.
>
>By the way, the IBM HTTP server was derived from an early version of
>Apache. I have not seen Apache servers vulnerable to this bug.
>
>Since I reported this "non-security" bug so long ago I hope it is fixed
>through the regular set of changes. I cannot confirm this bug was fixed.
>As far as I know this vulnerability was not yet reported to the public.
>
>'ken'
>
>
>
