[24337] in bugtraq
Re: gnujsp: dir- and script-disclosure
daemon@ATHENA.MIT.EDU (Stefan Gybas)
Wed Feb 20 12:19:50 2002
Date: Wed, 20 Feb 2002 16:54:22 +0100
From: Stefan Gybas <gybas@trustsec.de>
To: Thomas Springer <thomas.springer@tuev-sued.de>
Cc: bugtraq@securityfocus.com, pab@heise.de
Message-ID: <20020220155422.GA31582@avoive.trustsec.de>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="mYCpIKhGyMATD0i+"
Content-Disposition: inline
In-Reply-To: <3.0.6.32.20020219155101.013aff70@muzs010C>
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, Feb 19, 2002 at 03:51:01PM +0100, Thomas Springer wrote:
> Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running
> gnujsp, reveals directory-listing of any webdir including wwwroot, it also
> reveals the script-source of certain (not all!) script-types, depending on
> webserver-config.
The actual hole is in JServ (a servlet engine for which GNUJSP was mainly
written) since it sets the servlet PathInfo to [dirname]/[file] in the
above example. The GNUJSP servlet then incorrectly assumes that the
request was made to "http://site/[dirname]/[file]".
> I don't know enough about gnujsp to provide a solution - but it seems to be
> kind of a configuration flaw in standard-config of gnujsp.
There's a "denyuri" configuration option for GNUJSP but this is not a
good fix since
1. The same GNUJSP servlet can be called with multiple URIs (e.g.
/servlets/gnujsp and /servlet/gnujsp)
2. It does not seem to work with GNUJSP 1.0.0 and JServ at all when
there are servlet aliases
A more secure solution is the attached patch for GNUJSP 1.0.0 and 1.0.1
which forbids all direct requests to the GNUJSP servlet. Only files which
are mapped to the GNUJSP servlet (in most cases *.jsp) can be accessed
then.
--
Stefan Gybas
trustsec IT solutions GmbH
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="gnujsp-1.0.0.patch"
diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java Mon Oct 18 19:28:52 1999
+++ src/org/gjt/jsp/JspServlet.java Wed Feb 20 16:09:27 2002
@@ -262,6 +262,12 @@
*/
}
+ // Security check: Deny the request if the path is appended to
+ // the servlet URI -- gybas@trustsec.de
+ if (request.getRequestURI().startsWith(request.getServletPath())) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ }
+
String jspURI = requestToJspURI (request);
if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="gnujsp-1.0.1.patch"
Only in src: DIFF
diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java Thu Oct 5 09:28:00 2000
+++ src/org/gjt/jsp/JspServlet.java Wed Feb 20 16:41:16 2002
@@ -598,6 +598,12 @@
String jspURI)
throws IOException, ServletException
{
+ // Security check: Deny the request if the path is appended to
+ // the servlet URI -- gybas@trustsec.de
+ if (request.getRequestURI().startsWith(request.getServletPath())) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ }
+
// Deny requests beginning with denyURI, if specified.
if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
--mYCpIKhGyMATD0i+--
