[15309] in bugtraq
BEA WebLogic JSP showcode vulnerability
daemon@ATHENA.MIT.EDU (stuart.mcclure@FOUNDSTONE.COM)
Mon Jun 12 01:42:59 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BFD42D.D23D9430"
Message-Id: <2153DBA073F0D311911100B0D01A826F05B76E@mail.foundstone.com>
Date: Mon, 12 Jun 2000 01:19:45 -0400
Reply-To: stuart.mcclure@FOUNDSTONE.COM
From: stuart.mcclure@FOUNDSTONE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BFD42D.D23D9430
Content-Type: text/plain;
charset="ISO-8859-1"
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
BEA's WebLogic
----------------------------------------------------------------------
FS Advisory ID: FS-061200-2-BEA
Release Date: June 12, 2000
Product: WebLogic
Vendor: BEA Systems (http://www.beasys.com)
Vendor Advisory: None available at release time.
Type: JSP/JHTML show code vulnerability
Severity: Low to Medium (depending on JSP/JHTML coding
practices)
Author: Saumil Shah (saumil.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: Windows NT
Vulnerable versions: Up to and including WebLogic 4.5.1
Foundstone Advisory: http://www.foundstone.com
----------------------------------------------------------------------
Description
A show code vulnerability exists with BEA's WebLogic 4.5.1 for
NT allowing an attacker to view the source code of Java Server
Pages (JSP) or JHTML files.
Details
The problem lies with the way WebLogic assigns handlers to
specific file types. For example, files with the extensions
.jsp and .jhtml are registered as Java Server Pages or Java
Servlet files in the WebLogic configuration "weblogic.
properties" which lies under the \weblogic directory.
A sample out-of-the-box configuration file looks as
follows:
# ---irrelevant part trimmed out---
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# WEBLOGIC JHTML PROPERTIES
# ------------------------------------------------
# Sets up automatic page compilation for JHTML. Adjust init
# args for directory locations and uncomment to use.
weblogic.httpd.register.*.jhtml=\
weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.initArgs.*.jhtml=\
pageCheckSeconds=1,\
packagePrefix=examples.jhtml,\
compileCommand=c:/java/bin/javac.exe,\
workingDir=d:/weblogic/myserver/classfiles,\
verbose=true
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# WEBLOGIC JSP PROPERTIES
# ------------------------------------------------
# Sets up automatic page compilation for JSP. Adjust init
# args for directory locations and uncomment to use.
weblogic.httpd.register.*.jsp=\
weblogic.servlet.JSPServlet
weblogic.httpd.initArgs.*.jsp=\
pageCheckSeconds=1,\
compileCommand=c:/java/bin/javac.exe,\
workingDir=d:/weblogic/myserver/classfiles,\
verbose=true
We can observe that the extensions .jsp and .jhtml are
assigned to be handled by the Java compiler.
WebLogic being case sensitive by default, interprets .jsp and
.JSP to be two extensions. Same is the case with .jhtml and
.JHTML. If a request for a .JSP file is made to WebLogic, it
cannot find a handler for the .JSP extension and therefore,
it uses the default handler, which is of type "text". Since
the underlying file system is Windows NT, it does not
differentiate between upper case and lower case filenames,
and hence the requested file ends up being served up as plain
text without being parsed or interpreted. On WebLogic running
on Unix servers, it flags a "File not Found" error.
Proof of concept
Normally, JSP and JHTML file are referred to in URLs using
lower case extensions. For example:
http://site.running.weblogic/login.jsp -or-
http://site.running.weblogic/index.jhtml
By changing any letters in the extension (.jsp or .jhtml) to
upper case, it is possible to obtain the unparsed source code
of the JSP or JHTML file:
http://site.running.weblogic/login.JSP -or-
http://site.running.weblogic/index.JHTML
Solution
Workaround
A cumbersome workaround to this problem would be to add
handlers for the following file extensions in the configuration
file:
For .jsp files:
.jsp .Jsp .jSp .jsP .JSp .jSP .JsP .JSP
For .jhtml files:
.jhtml .Jhtml .jHtml .jhTml .jhtMl .jhtmL .JHtml .JhTml
.JhtMl .JhtmL .jHTml .jHtMl .jHtmL .jhTMl .jhTmL .jhtML
.JHTml .JHtMl .JHtmL .JhTMl .JhTmL .JhtML .jHTMl .jHTmL
.jHtML .jhTML .JHTMl .JHTmL .JhTML .jHTML .JHTML
These extension cover all combinations of upper and lower case
characters for .jsp and .jhtml.
Fix
Check the following property in the weblogic.properties file:
weblogic.httpd.servlet.extensionCaseSensitive
In certain versions of BEA WebLogic Server, the default setting
of this property is set to "false". For maximum security, as
documented in the BEA security lockdown documentation at:
http://www.weblogic.com/docs51/admindocs/properties.html
http://www.weblogic.com/docs51/admindocs/lockdown.html
set weblogic.httpd.servlet.extensionCaseSensitive to "true", or
add the following line to your Weblogic.properties file:
weblogic.httpd.servlet.extensionCaseSensitive=true
See the follow matrix to determine the appropriate course of
action for your version of BEA WebLogic Server.
Version: BEA WebLogic 5.1 for Windows NT
Status: Set to true by default
Action: None
Version: BEA WebLogic 4.5.2 for Windows NT
Status: Set to true by default
Action: None
Version: BEA WebLogic 4.5.1 for Windows NT
Status: Set to false by default
Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
Version: BEA WebLogic 4.0.4 for Windows NT
Status: Set to false by default
Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
Version: BEA WebLogic 3.1.8
Status: False by default
Action: Apply patch found at:
ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zip
Credits
We would like to thank Shreeraj Shah for drawing our attention to
this vulnerability. In addition, we would like to thank BEA for
their prompt and serious attention to the problem.
Disclaimer
The information contained in this advisory is the copyright (C)
2000 of Foundstone, Inc. and believed to be accurate at the time
of printing, but no representation or warranty is given, express
or implied, as to its accuracy or completeness. Neither the
author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in
any way from any use of, or reliance placed on, this information
for any purpose. This advisory may be redistributed provided that
no fee is assigned and that the advisory is not modified in any
way.
------_=_NextPart_001_01BFD42D.D23D9430
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DISO-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>BEA WebLogic JSP showcode vulnerability</TITLE>
</HEAD>
<BODY>
<P><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, Inc.</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; <A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
"Securing the Dot Com =
World" &=
nbsp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Security Advisory</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; BEA's WebLogic</FONT>
</P>
<P><FONT =
SIZE=3D2>---------------------------------------------------------------=
-------</FONT>
<BR><FONT SIZE=3D2>FS Advisory =
ID: =
FS-061200-2-BEA</FONT>
</P>
<P><FONT SIZE=3D2>Release =
Date: June =
12, 2000</FONT>
</P>
<P><FONT =
SIZE=3D2>Product: &=
nbsp; WebLogic</FONT>
</P>
<P><FONT =
SIZE=3D2>Vendor: &n=
bsp; BEA Systems (<A =
HREF=3D"http://www.beasys.com" =
TARGET=3D"_blank">http://www.beasys.com</A>)</FONT>
</P>
<P><FONT SIZE=3D2>Vendor =
Advisory: None available at =
release time.</FONT>
</P>
<P><FONT =
SIZE=3D2>Type: &nbs=
p; JSP/JHTML show code =
vulnerability</FONT>
</P>
<P><FONT =
SIZE=3D2>Severity: =
Low to Medium (depending on JSP/JHTML =
coding </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; practices)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2>Author: &n=
bsp; Saumil Shah =
(saumil.shah@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Stuart McClure (stuart.mcclure@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, Inc. (<A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A>)</FONT>
</P>
<P><FONT SIZE=3D2>Operating Systems: =
Windows NT</FONT>
</P>
<P><FONT SIZE=3D2>Vulnerable versions: Up to and =
including WebLogic 4.5.1</FONT>
</P>
<P><FONT SIZE=3D2>Foundstone Advisory: <A =
HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
-------</FONT>
</P>
<P><FONT SIZE=3D2>Description</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> A show =
code vulnerability exists with BEA's WebLogic 4.5.1 for</FONT>
<BR><FONT SIZE=3D2> NT =
allowing an attacker to view the source code of Java Server</FONT>
<BR><FONT SIZE=3D2> Pages =
(JSP) or JHTML files.</FONT>
</P>
<P><FONT SIZE=3D2>Details</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> The =
problem lies with the way WebLogic assigns handlers to </FONT>
<BR><FONT SIZE=3D2> specific =
file types. For example, files with the extensions </FONT>
<BR><FONT SIZE=3D2> .jsp and =
.jhtml are registered as Java Server Pages or Java </FONT>
<BR><FONT SIZE=3D2> Servlet =
files in the WebLogic configuration "weblogic.</FONT>
<BR><FONT SIZE=3D2> =
properties" which lies under the \weblogic directory.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> A sample =
out-of-the-box configuration file looks as</FONT>
<BR><FONT SIZE=3D2> =
follows:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT =
SIZE=3D2> # =
---irrelevant part trimmed out---</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT =
SIZE=3D2> # # # # =
# # # # # # # # # # # # # # # # # # # # # # # # # #</FONT>
<BR><FONT =
SIZE=3D2> # =
WEBLOGIC JHTML PROPERTIES</FONT>
<BR><FONT =
SIZE=3D2> # =
------------------------------------------------</FONT>
<BR><FONT =
SIZE=3D2> # Sets =
up automatic page compilation for JHTML. Adjust init</FONT>
<BR><FONT =
SIZE=3D2> # args =
for directory locations and uncomment to use.</FONT>
<BR><FONT =
SIZE=3D2> =
weblogic.httpd.register.*.jhtml=3D\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
weblogic.servlet.jhtmlc.PageCompileServlet</FONT>
<BR><FONT =
SIZE=3D2> =
weblogic.httpd.initArgs.*.jhtml=3D\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; pageCheckSeconds=3D1,\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
packagePrefix=3Dexamples.jhtml,\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
compileCommand=3Dc:/java/bin/javac.exe,\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
workingDir=3Dd:/weblogic/myserver/classfiles,\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; verbose=3Dtrue</FONT>
</P>
<P><FONT =
SIZE=3D2> # # # # =
# # # # # # # # # # # # # # # # # # # # # # # # # #</FONT>
<BR><FONT =
SIZE=3D2> # =
WEBLOGIC JSP PROPERTIES</FONT>
<BR><FONT =
SIZE=3D2> # =
------------------------------------------------</FONT>
<BR><FONT =
SIZE=3D2> # Sets =
up automatic page compilation for JSP. Adjust init </FONT>
<BR><FONT =
SIZE=3D2> # args =
for directory locations and uncomment to use.</FONT>
<BR><FONT =
SIZE=3D2> =
weblogic.httpd.register.*.jsp=3D\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; weblogic.servlet.JSPServlet</FONT>
<BR><FONT =
SIZE=3D2> =
weblogic.httpd.initArgs.*.jsp=3D\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; pageCheckSeconds=3D1,\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
compileCommand=3Dc:/java/bin/javac.exe,\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
workingDir=3Dd:/weblogic/myserver/classfiles,\</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; verbose=3Dtrue</FONT>
</P>
<P><FONT SIZE=3D2> We can =
observe that the extensions .jsp and .jhtml are </FONT>
<BR><FONT SIZE=3D2> assigned =
to be handled by the Java compiler.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> WebLogic =
being case sensitive by default, interprets .jsp and </FONT>
<BR><FONT SIZE=3D2> .JSP to =
be two extensions. Same is the case with .jhtml and </FONT>
<BR><FONT SIZE=3D2> .JHTML. =
If a request for a .JSP file is made to WebLogic, it </FONT>
<BR><FONT SIZE=3D2> cannot =
find a handler for the .JSP extension and therefore, </FONT>
<BR><FONT SIZE=3D2> it uses =
the default handler, which is of type "text". Since </FONT>
<BR><FONT SIZE=3D2> the =
underlying file system is Windows NT, it does not </FONT>
<BR><FONT SIZE=3D2> =
differentiate between upper case and lower case filenames, </FONT>
<BR><FONT SIZE=3D2> and hence =
the requested file ends up being served up as plain </FONT>
<BR><FONT SIZE=3D2> text =
without being parsed or interpreted. On WebLogic running </FONT>
<BR><FONT SIZE=3D2> on Unix =
servers, it flags a "File not Found" error.</FONT>
</P>
<P><FONT SIZE=3D2>Proof of concept</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> Normally, =
JSP and JHTML file are referred to in URLs using </FONT>
<BR><FONT SIZE=3D2> lower =
case extensions. For example:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; <A =
HREF=3D"http://site.running.weblogic/login.jsp" =
TARGET=3D"_blank">http://site.running.weblogic/login.jsp</A> =
-or-</FONT>
<BR><FONT SIZE=3D2>  =
; <A =
HREF=3D"http://site.running.weblogic/index.jhtml" =
TARGET=3D"_blank">http://site.running.weblogic/index.jhtml</A></FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> By =
changing any letters in the extension (.jsp or .jhtml) to </FONT>
<BR><FONT SIZE=3D2> upper =
case, it is possible to obtain the unparsed source code </FONT>
<BR><FONT SIZE=3D2> of the =
JSP or JHTML file:</FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; <A =
HREF=3D"http://site.running.weblogic/login.JSP" =
TARGET=3D"_blank">http://site.running.weblogic/login.JSP</A> =
-or-</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; <A =
HREF=3D"http://site.running.weblogic/index.JHTML" =
TARGET=3D"_blank">http://site.running.weblogic/index.JHTML</A></FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>Solution</FONT>
</P>
<P><FONT SIZE=3D2> =
Workaround</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> A =
cumbersome workaround to this problem would be to add </FONT>
<BR><FONT SIZE=3D2> handlers =
for the following file extensions in the configuration</FONT>
<BR><FONT SIZE=3D2> =
file:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> For .jsp =
files:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
.jsp .Jsp .jSp =
.jsP .JSp .jSP =
.JsP .JSP</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> For =
.jhtml files:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
.jhtml .Jhtml .jHtml .jhTml .jhtMl =
.jhtmL .JHtml .JhTml</FONT>
<BR><FONT SIZE=3D2> =
.JhtMl .JhtmL .jHTml .jHtMl .jHtmL =
.jhTMl .jhTmL .jhtML</FONT>
<BR><FONT SIZE=3D2> =
.JHTml .JHtMl .JHtmL .JhTMl .JhTmL =
.JhtML .jHTMl .jHTmL</FONT>
<BR><FONT SIZE=3D2> =
.jHtML .jhTML .JHTMl .JHTmL .JhTML =
.jHTML .JHTML</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> These =
extension cover all combinations of upper and lower case </FONT>
<BR><FONT SIZE=3D2> =
characters for .jsp and .jhtml.</FONT>
</P>
<P><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
Fix</FONT>
</P>
<P><FONT SIZE=3D2> Check the =
following property in the weblogic.properties file: </FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
weblogic.httpd.servlet.extensionCaseSensitive</FONT>
</P>
<P><FONT SIZE=3D2> In certain =
versions of BEA WebLogic Server, the default setting </FONT>
<BR><FONT SIZE=3D2> of this =
property is set to "false". For maximum security, as </FONT>
<BR><FONT SIZE=3D2> =
documented in the BEA security lockdown documentation at:</FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; <A =
HREF=3D"http://www.weblogic.com/docs51/admindocs/properties.html" =
TARGET=3D"_blank">http://www.weblogic.com/docs51/admindocs/properties.ht=
ml</A></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; <A =
HREF=3D"http://www.weblogic.com/docs51/admindocs/lockdown.html" =
TARGET=3D"_blank">http://www.weblogic.com/docs51/admindocs/lockdown.html=
</A></FONT>
</P>
<P><FONT SIZE=3D2> set =
weblogic.httpd.servlet.extensionCaseSensitive to "true", or =
</FONT>
<BR><FONT SIZE=3D2> add the =
following line to your Weblogic.properties file: </FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
weblogic.httpd.servlet.extensionCaseSensitive=3Dtrue</FONT>
</P>
<P><FONT SIZE=3D2> See the =
follow matrix to determine the appropriate course of </FONT>
<BR><FONT SIZE=3D2> action =
for your version of BEA WebLogic Server.</FONT>
</P>
<P><FONT SIZE=3D2> =
Version: BEA WebLogic 5.1 for Windows NT</FONT>
<BR><FONT SIZE=3D2> =
Status: Set to true by default</FONT>
<BR><FONT SIZE=3D2> =
Action: None</FONT>
</P>
<P><FONT SIZE=3D2> =
Version: BEA WebLogic 4.5.2 for Windows NT</FONT>
<BR><FONT SIZE=3D2> =
Status: Set to true by default</FONT>
<BR><FONT SIZE=3D2> =
Action: None</FONT>
</P>
<P><FONT SIZE=3D2> =
Version: BEA WebLogic 4.5.1 for Windows NT</FONT>
<BR><FONT SIZE=3D2> =
Status: Set to false by default</FONT>
<BR><FONT SIZE=3D2> =
Action: Set =
weblogic.httpd.servlet.extensionCaseSensitive=3Dtrue</FONT>
</P>
<P><FONT SIZE=3D2> =
Version: BEA WebLogic 4.0.4 for Windows NT</FONT>
<BR><FONT SIZE=3D2> =
Status: Set to false by default</FONT>
<BR><FONT SIZE=3D2> =
Action: Set =
weblogic.httpd.servlet.extensionCaseSensitive=3Dtrue</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
Version: BEA WebLogic 3.1.8</FONT>
<BR><FONT SIZE=3D2> =
Status: False by default</FONT>
<BR><FONT SIZE=3D2> =
Action: Apply patch found at:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zi=
p" =
TARGET=3D"_blank">ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveN=
TFix318.zip</A></FONT>
</P>
<P><FONT SIZE=3D2>Credits</FONT>
</P>
<P><FONT SIZE=3D2> We would =
like to thank Shreeraj Shah for drawing our attention to </FONT>
<BR><FONT SIZE=3D2> this =
vulnerability. In addition, we would like to thank BEA for </FONT>
<BR><FONT SIZE=3D2> their =
prompt and serious attention to the problem.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>Disclaimer</FONT>
</P>
<P><FONT SIZE=3D2> The =
information contained in this advisory is the copyright (C) </FONT>
<BR><FONT SIZE=3D2> 2000 of =
Foundstone, Inc. and believed to be accurate at the time</FONT>
<BR><FONT SIZE=3D2> of =
printing, but no representation or warranty is given, express</FONT>
<BR><FONT SIZE=3D2> or =
implied, as to its accuracy or completeness. Neither the </FONT>
<BR><FONT SIZE=3D2> author =
nor the publisher accepts any liability whatsoever for</FONT>
<BR><FONT SIZE=3D2> any =
direct, indirect or conquential loss or damage arising in</FONT>
<BR><FONT SIZE=3D2> any way =
from any use of, or reliance placed on, this information</FONT>
<BR><FONT SIZE=3D2> for any =
purpose. This advisory may be redistributed provided that</FONT>
<BR><FONT SIZE=3D2> no fee is =
assigned and that the advisory is not modified in any</FONT>
<BR><FONT SIZE=3D2> =
way. </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BFD42D.D23D9430--
