[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Disclosure of JSP source code with ServletExec AS v3.0c

Title: Disclosure of JSP source code with ServletExec AS v3.0c
Released by: Woch, Wojciech
Date: 20th November 2000
Printable version: Click here
Test environment


    NT 4.0 SP6a

    IIS v4

    Sun JDK v1.2.2.006

    ServletExec AS v3.0C

Vendor status (Unify)


    Issue reported on October 27th to support@servletexec.com

    Confirmation on November 2nd that the problem was reproduced

    Confirmation that the issue was forwarded to the developpment team

    A temporary workaround was provided (see below)

    As of today, no ETA for a fix

Problem description


Under a particular configuration, ServletExec AS v3.0C will disclose the

source code of JSP pages when some special characters are appended to

HTTP requests.

Specifically, when a web instance is installed and named after an

existing Web application, or the name manually added on the

servletexec.servername.applications line in servletexec.properties, the

source code of a JSP page will be displayed if one of the following

characters is present and the end of the request:

. and %2E

+ and %2B

\ and %5C



All values from %00 to %FF were checked.

Temporary workaround


Unify's support provided the following workarounds for people who might

be impacted by the issue:

"If they don't have any static pages or images in their web application

then they can configure a default servlet by mapping '/' to their

default servlet.  This will cause their default servlet to be called for

any URLs which don't map to a servlet.  In this case their default

servlet can just return File Not Found.  If they do have static pages or

images then they can still do this but they'll need to have their

default servlet serve up valid static pages and images."

"Another possibility is to map *.jsp+, *.jsp., *.jsp\, etc. to a servlet

which just returns File Not Found.  For the *.jsp%00 and *.jsp%20 cases

they'll need to enter the mappings in unencoded form.  For example, the

mapping for *.jsp%20 would need to be entered as "*.jsp ".  Note that

the %20 was converted to a space character."

Test scenario


Here's the procedure to reproduce the behaviour on the test environment

with the exampleWebApp that is provided with ServletExec.

* Launch ServletExec_AS_30C.exe to install ServletExec AS v3.0c

* Choose Install a ServletExec AS instance

* Default install directories (ex: C:\Program Files\Unify\ServletExec


* Name the instance with the servername (ex: servtest)

* Setup type is Microsoft IIS or PWS

* Install servletexec as NT Service

* Once the installation's complete, stop and restart IIS Admin and World

Wide Web Publishing services

* Start the ServletExec service (ex: ServletExec-servtest)

* Connect to the admin servlet (ex: http://servtest/servlet/admin)

* Go to Web applications/Configure

* Add exampleWebApp (ex: Name=ex, URL=/ex, Location=C:\Program

Files\Unify\ServletExec AS\Examples\exampleWebApp)

* The application should be accessible under

http://servtest/ex/jsp/simple.jsp but NOT its source code (returns 404

errors on attempts such as http://servtest/ex/jsp/simple.jsp.)

We run now the ServletExec_AS_30C.exe setup again to add a web instance:

* Choose Install or Update a web server adapter

* Setup type is Microsoft IIS or PWS

* Name of the ServletExec AS instance is as before (ex: servtest)

* Application URL is /ex

* Once the installation's complete, stop and restart IIS Admin and World

Wide Web Publishing services

At this point, we are able to retrieve the source code of JSP pages

accessible within the application directory tree. Example requests that

produce the source are:






In other words, the problem seems to occur as soon as we touch

servletexec.properties and add an existing application's URL (/ex) as a

parameter to servletexec.servtest.applications or to

servletexec.servtest.aliases (this second case occurs if we choose a

different name for the instance during the Update process - we can still

view the source code).



* A similar problem

(http://www.securityfocus.com/vdb/bottom.html?vid=1328) was discovered

by Niclas Vikstrom and posted to NTbugtraq by Russ Cooper on June 8,

2000. Source code could be displayed when the page extension was

specified in uppercase, but the problem was fixed in v3.0C.

* Fundstone Inc. discovered two other vulnerabilites

(http://www.securityfocus.com/vdb/bottom.html?vid=1876 and

http://www.securityfocus.com/vdb/bottom.html?vid=1868) with v3.0C that

should be fixed in v3.0E. As of today, this version still cannot be

found for download at http://www.servletexec.com/downloads/ so it could

not be tested.

* Thanks to the support people at Unify for working with us on this


(C) 1999-2000 All rights reserved.