Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Matt Moore (mattwestpoint.ltd.uk)
Date: Wed May 22 2002 - 11:11:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Westpoint Security Advisory

    Title: Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
    Risk Rating: High
    Software: ServletExec 4.1 ISAPI / IIS 4 & 5
    Platforms: Win2k / WinNT 4
    Vendor URL: www.newatlanta.com
    Author: Matt Moore <mattWestpoint.ltd.uk>
    Date: 22 May 2002
    Advisory ID#: wp-02-0006.txt


    ServletExec 4.1 ISAPI is a Java Servlet/JSP Engine for Internet Information
    Server and is implemented as an ISAPI filter.
    The JSP functionality is provided by a servlet which is enabled by default
    and contains three security flaws.


    1. ServletExec discloses physical path of webroot

    It is possible to invoke the class 'com.newatlanta.servletexec.JSP10Servlet'
    directly by requesting a url such as:


    If no filename is supplied to it, then it returns an error message:

    Error. The file was not found. (filename =

    disclosing the physical path of the web root.

    2. JSP10Servlet allows files to be read from within IIS webroot

    By invoking the JSP10Servlet (or simply JSPServlet) using the URL described
    above, it is possible to read files from within the web root.
    It did not appear to be possible to 'break out' of the web root and read
    files from other parts of the file system.
    The path must be URL encoded for this to work. For instance, a request such


    will retrieve the global.asa file, which is normally not served.

    3. DoS via overly long request for .JSP file

    By making a request for an overly long named .jsp file, Internet Information
    Server can be crashed.

    The denial of service condition can be triggered by either requesting an
    overly long named .jsp file:


    or by invoking the JSPServlet or JSP10Servlet directly:


    Patch Information:

    There is a workaround for the physical path disclosure bug, which should be
    in the FAQ's at

    The other issues are fixed in Patch #9 from

    Additional Information

    Nessus plugins are available to test for the vulnerabilities identified
    above, from www.nessus.org:

    servletExec_DoS.nasl (ID 10958)
    ServletExec_File_Reading.nasl (ID 10959)
    ServletExec_path_disclosure.nasl (ID 10960)