OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Potential vulnerability in Unify eWave ServletExec
From: Russ (Russ.CooperRC.ON.CA)
Date: Thu Jun 08 2000 - 09:26:59 CDT


Niclas Vikstrom <niclas.vikstromlexor.se> brought this to my attention.

Unify eWave ServletExec <http://www.servletexec.com/> is a Java Server Pages
(JSP) processing environment which runs on IIS (amongst a variety of other
platforms and OS'). JSP is similar to ASP in that it allows server-side
source code to generate dynamic web pages for presentation to web visitors.
Like ASP, JSP source code pages should not be visible.

Unify, in a conversation yesterday, advised that the issue Niclas discovered
is already known, and in their opinion, easily prevented. I strongly
disagree, and think Unify should fix their application environment.

Basically, if you visit a JSP generated via ServletExec such as;

http://dummysite/somepage.jsp

you will see a fully formed page according to the source JSP instructions.
Yet if you view the same page with a minor modification, using upper case
JSP at the end of the link;

http://dummysite/somepage.JSP

you will, instead, see the source code for the JSP in question.

According to Unify, all that is required to prevent this is to use have
installed a default Servlet which, for example, states that the page
requested is not found (or any other page you wish to present when a JSP
request is presented which does not explicitly match some known JSP)

Why the ServletExec environment should ever present source code upon a
request such as this is beyond me. Whether or not the documentation
describes, or insists, on the presence of a default Servlet as Unify
recommended to me yesterday is also unknown (in which case the discovered
exploitable public sites didn't follow the Vendor's recommendations for
implementing a secure environment, or the documentation sucks.)

In any event, those of you who use this environment should ensure that your
JSP source code is not being made available to the public.

Cheers,
Russ - NTBugtraq Editor