[24331] in bugtraq
gnujsp: dir- and script-disclosure
daemon@ATHENA.MIT.EDU (Thomas Springer)
Tue Feb 19 19:02:29 2002
Message-Id: <3.0.6.32.20020219155101.013aff70@muzs010C>
Date: Tue, 19 Feb 2002 15:51:01 +0100
To: bugtraq@securityfocus.com
From: Thomas Springer <thomas.springer@tuev-sued.de>
Cc: pab@heise.de
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
---
mod:
for verifying this, ask your favourite google for sites running gnujsp, eg
+"/scripts/gnujsp/".
if you want to get a fix first - go for it, before you release this.
I tried to contact two sites running gnujsp asking for help with a fix -
but they didn't even bother to reply. I'm too busy for installing gnjusp
and doing further research myself.
tom
---
Most sites running apache/gnujsp are vulnerable to directorylisting,
scriptsource disclosure and httpd-restrictions bypass.
Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running
gnujsp, reveals directory-listing of any webdir including wwwroot, it also
reveals the script-source of certain (not all!) script-types, depending on
webserver-config.
Wrapping the url with /servlets/gnujsp/ bypasses
directory/file-restrictions in http.conf or .htaccess, files and
directory-structures can be displayed along with the .htaccess-file.
Very few sites running gnujsp seem to be partially or complete immune to
this behaviour, most are vulnerable.
The /servlets/gnujsp/ is easy to guess, it appears in many error-messages.
I don't know enough about gnujsp to provide a solution - but it seems to be
kind of a configuration flaw in standard-config of gnujsp.
I only tested on apache - maybe other servers with gnujsp installed are
vulnerable too.
I contacted the gnujsp-devolpers (according to the rather old AUTHORS-file)
at 02/15/2002 without any response so far.
Maybe someone else familiar with gnujsp could provide a solution.
Gruesse,
Thomas Springer
(IT Security)
TUEV Informatik Service
Westendstr. 199
80806 München
Tel. 089 5791-2069
thomas.springer@tuev-sued.de
(pgp-signed mail welcome)
