[15314] in bugtraq
IBM WebSphere JSP showcode vulnerability
daemon@ATHENA.MIT.EDU (stuart.mcclure@FOUNDSTONE.COM)
Mon Jun 12 13:35:29 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BFD42E.39537450"
Message-Id: <2153DBA073F0D311911100B0D01A826F05B770@mail.foundstone.com>
Date: Mon, 12 Jun 2000 01:22:38 -0400
Reply-To: stuart.mcclure@FOUNDSTONE.COM
From: stuart.mcclure@FOUNDSTONE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BFD42E.39537450
Content-Type: text/plain;
charset="ISO-8859-1"
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
IBM WebSphere Application Server
----------------------------------------------------------------------
FS Advisory ID: FS-061200-3-IBM
Release Date: June 12, 2000
Product: WebSphere Application Server
Vendor: IBM
http://www-4.ibm.com/software/webservers/
appserv/
Vendor Advisory: http://www-4.ibm.com/software/webservers/
appserv/efix.html
Type: JSP show code vulnerability
Severity: Low to Medium (depending on JSP coding
practices)
Author: Saumil Shah (saumil.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: Windows NT
Vulnerable versions: All version up to and including 3.0.2
Foundstone advisory: http://www.foundstone.com
----------------------------------------------------------------------
Description
A show code vulnerability exists with IBM's WebSphere
Application Server for NT allowing an attacker to view the
source code of Java Server Pages (JSP) files.
Details
The problem lies with the way WebSphere assigns handlers to
specific file types. For example, files with the extensions
.jsp are registered as Java Server Pages by WebSphere.
WebSphere being case sensitive, interprets .jsp and .JSP to
be two extensions. If a request for a .JSP file is made to
WebSphere, it cannot find a handler for the .JSP extension
and therefore, it uses the default handler, which is of
type "text". Since the underlying file system is Windows NT,
it does not differentiate between upper case and lower case
filenames, and hence the requested file ends up being served
up as plain text without being parsed or interpreted. On
WebSphere running on Unix servers, it flags a "File not Found"
error.
Proof of Concept
Normally, JSP files are referred to in URLs using lower case
extensions. For example:
http://site.running.websphere/index.jsp
By changing any letters in the extension (.jsp) to upper case,
it is possible to obtain the unparsed source code of the JSP
file. For the above example, the exploit would be to access
the following URL:
http://site.running.websphere/index.JSP
Solution
Workaround
none
Fix
An efix (APAR #: PQ38936) is available and will be posted at:
http://www-4.ibm.com/software/webservers/appserv/efix.html
Credits
We would like to thank Shreeraj Shah for drawing our attention
to this vulnerability. We'd also like to thank IBM for their
prompt and serious attention to this issue.
Disclaimer
The information contained in this advisory is the copyright (C)
2000 of Foundstone, Inc. and believed to be accurate at the time
of printing, but no representation or warranty is given, express
or implied, as to its accuracy or completeness. Neither the
author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in
any way from any use of, or reliance placed on, this information
for any purpose. This advisory may be redistributed provided that
no fee is assigned and that the advisory is not modified in any
way.
------_=_NextPart_001_01BFD42E.39537450
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DISO-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>IBM WebSphere JSP showcode vulnerability</TITLE>
</HEAD>
<BODY>
<P><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, Inc.</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
<A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
"Securing the Dot Com =
World" &=
nbsp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Security Advisory</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; IBM WebSphere =
Application Server</FONT>
</P>
<P><FONT =
SIZE=3D2>---------------------------------------------------------------=
-------</FONT>
<BR><FONT SIZE=3D2>FS Advisory =
ID: =
FS-061200-3-IBM</FONT>
</P>
<P><FONT SIZE=3D2>Release =
Date: June =
12, 2000</FONT>
</P>
<P><FONT =
SIZE=3D2>Product: &=
nbsp; WebSphere Application Server</FONT>
</P>
<P><FONT =
SIZE=3D2>Vendor: &n=
bsp; IBM</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; <A HREF=3D"http://www-4.ibm.com/software/webservers/" =
TARGET=3D"_blank">http://www-4.ibm.com/software/webservers/</A></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; appserv/</FONT>
</P>
<P><FONT SIZE=3D2>Vendor =
Advisory: <A =
HREF=3D"http://www-4.ibm.com/software/webservers/" =
TARGET=3D"_blank">http://www-4.ibm.com/software/webservers/</A></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; appserv/efix.html</FONT>
</P>
<P><FONT =
SIZE=3D2>Type: &nbs=
p; JSP show code =
vulnerability</FONT>
</P>
<P><FONT =
SIZE=3D2>Severity: =
Low to Medium (depending on JSP coding =
</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; practices)</FONT>
</P>
<P><FONT =
SIZE=3D2>Author: &n=
bsp; Saumil Shah =
(saumil.shah@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Stuart McClure (stuart.mcclure@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, Inc. (<A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A>)</FONT>
</P>
<P><FONT SIZE=3D2>Operating Systems: =
Windows NT</FONT>
</P>
<P><FONT SIZE=3D2>Vulnerable versions: All version up =
to and including 3.0.2</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT SIZE=3D2>Foundstone advisory: <A =
HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
-------</FONT>
</P>
<P><FONT SIZE=3D2>Description</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> A show =
code vulnerability exists with IBM's WebSphere </FONT>
<BR><FONT SIZE=3D2> =
Application Server for NT allowing an attacker to view the </FONT>
<BR><FONT SIZE=3D2> source =
code of Java Server Pages (JSP) files.</FONT>
</P>
<P><FONT SIZE=3D2>Details</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> The =
problem lies with the way WebSphere assigns handlers to </FONT>
<BR><FONT SIZE=3D2> specific =
file types. For example, files with the extensions </FONT>
<BR><FONT SIZE=3D2> .jsp are =
registered as Java Server Pages by WebSphere.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> WebSphere =
being case sensitive, interprets .jsp and .JSP to </FONT>
<BR><FONT SIZE=3D2> be two =
extensions. If a request for a .JSP file is made to </FONT>
<BR><FONT SIZE=3D2> =
WebSphere, it cannot find a handler for the .JSP extension </FONT>
<BR><FONT SIZE=3D2> and =
therefore, it uses the default handler, which is of </FONT>
<BR><FONT SIZE=3D2> type =
"text". Since the underlying file system is Windows =
NT,</FONT>
<BR><FONT SIZE=3D2> it does =
not differentiate between upper case and lower case</FONT>
<BR><FONT SIZE=3D2> =
filenames, and hence the requested file ends up being served</FONT>
<BR><FONT SIZE=3D2> up as =
plain text without being parsed or interpreted. On </FONT>
<BR><FONT SIZE=3D2> WebSphere =
running on Unix servers, it flags a "File not Found"</FONT>
<BR><FONT SIZE=3D2> =
error.</FONT>
</P>
<P><FONT SIZE=3D2>Proof of Concept</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> Normally, =
JSP files are referred to in URLs using lower case </FONT>
<BR><FONT SIZE=3D2> =
extensions. For example:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://site.running.websphere/index.jsp" =
TARGET=3D"_blank">http://site.running.websphere/index.jsp</A></FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> By =
changing any letters in the extension (.jsp) to upper case, </FONT>
<BR><FONT SIZE=3D2> it is =
possible to obtain the unparsed source code of the JSP </FONT>
<BR><FONT SIZE=3D2> file. For =
the above example, the exploit would be to access </FONT>
<BR><FONT SIZE=3D2> the =
following URL:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://site.running.websphere/index.JSP" =
TARGET=3D"_blank">http://site.running.websphere/index.JSP</A></FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>Solution</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
Workaround</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
none</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
Fix</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> An efix =
(APAR #: PQ38936) is available and will be posted at:</FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://www-4.ibm.com/software/webservers/appserv/efix.html" =
TARGET=3D"_blank">http://www-4.ibm.com/software/webservers/appserv/efix.=
html</A></FONT>
</P>
<P><FONT SIZE=3D2>Credits</FONT>
<BR><FONT SIZE=3D2> We would =
like to thank Shreeraj Shah for drawing our attention </FONT>
<BR><FONT SIZE=3D2> to this =
vulnerability. We'd also like to thank IBM for their </FONT>
<BR><FONT SIZE=3D2> prompt =
and serious attention to this issue.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>Disclaimer</FONT>
</P>
<P><FONT SIZE=3D2> The =
information contained in this advisory is the copyright (C) </FONT>
<BR><FONT SIZE=3D2> 2000 of =
Foundstone, Inc. and believed to be accurate at the time</FONT>
<BR><FONT SIZE=3D2> of =
printing, but no representation or warranty is given, express</FONT>
<BR><FONT SIZE=3D2> or =
implied, as to its accuracy or completeness. Neither the </FONT>
<BR><FONT SIZE=3D2> author =
nor the publisher accepts any liability whatsoever for</FONT>
<BR><FONT SIZE=3D2> any =
direct, indirect or conquential loss or damage arising in</FONT>
<BR><FONT SIZE=3D2> any way =
from any use of, or reliance placed on, this information</FONT>
<BR><FONT SIZE=3D2> for any =
purpose. This advisory may be redistributed provided that</FONT>
<BR><FONT SIZE=3D2> no fee is =
assigned and that the advisory is not modified in any</FONT>
<BR><FONT SIZE=3D2> =
way.</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BFD42E.39537450--
