|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Steve (steve
SECURESOLUTIONS.ORG)Date: Mon Jan 22 2001 - 14:44:04 CST
-----Original Message-----
From: Georgi Guninski
Sent: Monday, January 22, 2001 7:21 AM
Subject: Oracle JSP/SQLJS handlers allow viewing files and executing JSP
outside the web root
Georgi Guninski security advisory #36, 2001
Oracle JSP/SQLJS handlers allow viewing files and executing JSP outside the
web root
Systems affected:
Oracle JSP/SQLJP handlers, installed by default Oracle 8.1.7 Windows 2000
Have not tested on other versions but they may be vulnerable
Risk: High
Date: 22 January 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it
unmodified.
You may not modify it and distribute it or distribute parts of it without
the author's
written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and not of
any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this
advisory or program or
any derivatives thereof.
Description:
It is possible to view files outside the web root.
Also possible is execution of .JSP files outside the web root in the same
partiotion as
the web server's root.
Details:
I guess there are at least 2 vulnerabilities with JSP/SQLJSP handlers.
Basically these are directory traversal vulnerabilities.
1) The following URL:
---------------------------------------
http://oraclehost/servlet//..//../o.jsp
---------------------------------------
will execute c:\o.jsp if there is such file.
As a side effect this shall create the directory C:\servlet\_pages\_servlet
and shall put
in it the java source and .class file of o.jsp
2) The following URL:
-------------------------------------------------------------
http://oraclehost/a.jsp//..//..//..//..//..//../winnt/win.ini
-------------------------------------------------------------
shall read c:\winnt\win.ini. It is normal to receive an error to this
request. To see the result
go to: http://oraclehost/_pages and look in the directories for .java files
containing "win"
3) The following URL:
-----------------------------------------------------------------
http://oraclehost/bb.sqljsp//..//..//..//..//..//../winnt/win.ini
-----------------------------------------------------------------
shall read c:\winnt\win.ini. It is normal to receive an error to this
request. To see the result
go to: http://oraclehost/_pages and look in the directories for .java files
containing "win"
Note: all urls were tested with Netscape 4.76 or direct HTTP requests. Do
not work with IE.
Vendor status:
Oracle was contacted on 18 January 2001.
Regards,
Georgi Guninski
http://www.guninski.com
----------------------
You may visit Guninski Security Mailing List page at
http://www.guninski.com/mailinglist.html
----------------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]