OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Disclosure of JSP source code with ServletExec AS v3.0c + web ins tance
From: Woch, Wojciech (Woch_WADMIRAL.FR)
Date: Tue Nov 21 2000 - 10:04:21 CST


Test environment
----------------
    NT 4.0 SP6a
    IIS v4
    Sun JDK v1.2.2.006
    ServletExec AS v3.0C

Vendor status (Unify)
---------------------
    Issue reported on October 27th to supportservletexec.com
    Confirmation on November 2nd that the problem was reproduced
    Confirmation that the issue was forwarded to the developpment team
    A temporary workaround was provided (see below)
    As of today, no ETA for a fix

Problem description
-------------------
Under a particular configuration, ServletExec AS v3.0C will disclose the
source code of JSP pages when some special characters are appended to
HTTP requests.

Specifically, when a web instance is installed and named after an
existing Web application, or the name manually added on the
servletexec.servername.applications line in servletexec.properties, the
source code of a JSP page will be displayed if one of the following
characters is present and the end of the request:

. and %2E
+ and %2B
\ and %5C
%20
%00

All values from %00 to %FF were checked.

Temporary workaround
--------------------
Unify's support provided the following workarounds for people who might
be impacted by the issue:

"If they don't have any static pages or images in their web application
then they can configure a default servlet by mapping '/' to their
default servlet. This will cause their default servlet to be called for
any URLs which don't map to a servlet. In this case their default
servlet can just return File Not Found. If they do have static pages or
images then they can still do this but they'll need to have their
default servlet serve up valid static pages and images."

"Another possibility is to map *.jsp+, *.jsp., *.jsp\, etc. to a servlet
which just returns File Not Found. For the *.jsp%00 and *.jsp%20 cases
they'll need to enter the mappings in unencoded form. For example, the
mapping for *.jsp%20 would need to be entered as "*.jsp ". Note that
the %20 was converted to a space character."

Test scenario
-------------

Here's the procedure to reproduce the behaviour on the test environment
with the exampleWebApp that is provided with ServletExec.

* Launch ServletExec_AS_30C.exe to install ServletExec AS v3.0c
* Choose Install a ServletExec AS instance
* Default install directories (ex: C:\Program Files\Unify\ServletExec
AS)
* Name the instance with the servername (ex: servtest)
* Setup type is Microsoft IIS or PWS
* Install servletexec as NT Service
* Once the installation's complete, stop and restart IIS Admin and World
Wide Web Publishing services
* Start the ServletExec service (ex: ServletExec-servtest)
* Connect to the admin servlet (ex: http://servtest/servlet/admin)
* Go to Web applications/Configure
* Add exampleWebApp (ex: Name=ex, URL=/ex, Location=C:\Program
Files\Unify\ServletExec AS\Examples\exampleWebApp)
* The application should be accessible under
http://servtest/ex/jsp/simple.jsp but NOT its source code (returns 404
errors on attempts such as http://servtest/ex/jsp/simple.jsp.)

We run now the ServletExec_AS_30C.exe setup again to add a web instance:

* Choose Install or Update a web server adapter
* Setup type is Microsoft IIS or PWS
* Name of the ServletExec AS instance is as before (ex: servtest)
* Application URL is /ex
* Once the installation's complete, stop and restart IIS Admin and World
Wide Web Publishing services

At this point, we are able to retrieve the source code of JSP pages
accessible within the application directory tree. Example requests that
produce the source are:

  http://servtest/ex/jsp/simple.jsp.
  http://servtest/ex/jsp/simple.jsp+
  http://servtest/ex/jsp/simple.jsp\
  http://servtest/ex/jsp/simple.jsp%20
  http://servtest/ex/jsp/simple.jsp%00

In other words, the problem seems to occur as soon as we touch
servletexec.properties and add an existing application's URL (/ex) as a
parameter to servletexec.servtest.applications or to
servletexec.servtest.aliases (this second case occurs if we choose a
different name for the instance during the Update process - we can still
view the source code).

Notes
-----
* A similar problem
(http://www.securityfocus.com/vdb/bottom.html?vid=1328) was discovered
by Niclas Vikstrom and posted to NTbugtraq by Russ Cooper on June 8,
2000. Source code could be displayed when the page extension was
specified in uppercase, but the problem was fixed in v3.0C.

* Fundstone Inc. discovered two other vulnerabilites
(http://www.securityfocus.com/vdb/bottom.html?vid=1876 and
http://www.securityfocus.com/vdb/bottom.html?vid=1868) with v3.0C that
should be fixed in v3.0E. As of today, this version still cannot be
found for download at http://www.servletexec.com/downloads/ so it could
not be tested.

* Thanks to the support people at Unify for working with us on this
issue