Latest news
Risks
Sun-One Application Server Multiple Vulnerabilities
28 May 2003
As contributed to HNS by SPI Labs:
[Release Date]: May 27, 2003
[System Affected]
* Sun-ONE Application Server 7.0 for Windows 2000/XP
[Description]
During a brief audit of a SunONE Application Server installation on Windows 2000, SPI Labs discovered a number of vulnerabilities. Each of the vulnerabilities is described in detail below. The complete advisory is also available from our website at: http://www.spidynamics.com/sunone_alert.html.
Issue 1: JSP source code disclosure
Severity: High
-------------------------------------
It is possible to view the source code of JSP applications by changing the case of the file extension in the HTTP request. The vulnerability is due to Unix code being ported to the Microsoft Windows platform where the filesystem is case insensitive. When a request is received, the server performs a case sensitive check to determine if the request ends in ".jsp". If it does, the JSP engine will process it. Otherwise, it will see if it can retrieve the requested resource from the filesystem. On Unix operating systems, this will fail because of "file.jsp" cannot be opened by asking for "file.JSP" However, on Windows the file will be returned because the filesystem is case insensitive. Below is an example of a normal request/response, followed by the same request/response with the case change applied. The headers and response data have been trimmed for clarity.
[Original request]
GET /hello.jsp HTTP/1.0
[Original response]
HTTP/1.1 200 OK
Server: Sun-ONE-Application-Server/7.0
(more headers)
<html>
<head><title>Hello World JSP Example</title></head>
<body>
<h1>Hello World</h1>
It is Fri March 14 15:29:40 EST 2003 and is a beautiful Spring day.
</body></html>
[Request with case change]
GET /hello.JSP HTTP/1.0
[Response with case change]
HTTP/1.1 200 OK
Server: Sun-ONE-Application-Server/7.0
(more headers)
<html>
<head><title>Hello World JSP Example</title></head>
<body>
<h1>Hello World</h1>
It is <%= new java.util.Date().toString() %> and is a beautiful Spring day.
</body></html>
Issue 2: Log evasion
Severity: Medium
-------------------------------------
Only the first 4042 characters of a request URI are logged, even though the maximum URI length appears to be 4096 characters. This gives an attacker 54 characters to construct an attack with. Although it is possible that an administrator would still notice the unusual requests, he or she would be unable to determine what files or parameters the attacker would be requesting. Because of this, the administrator would not be able to find out what components of their system are being exploited. Below is an example request for /hello.jsp, as well as the log data. The headers, request and response data have been trimmed for clarity.
[Request for /hello.jsp]
GET
/AAAAAAAAAAAAAA[ up to 4042 characters]/../hello.jsp HTTP/1.0
[Console message]
WARNING: HTTP4198: flex log buffer overflow- greater than 4096 characters
Server log file
[04/Mar/2003:10:52:05] WARNING ( 1304): HTTP4198: flex log buffer overflow- greater than 4096 characters
Access log file
172.16.10.47 - - [04/Mar/2003:10:52:04 -0800] "GET
/AAAAAAAAAA[ up to 4042 characters] ...
The name of the file that was accessed does not appear in the logs.
Issue 3: Cross site scripting
Severity: Low
-------------------------------------
If an error occurs while processing a Java application, it may be possible to execute cross-site scripting attacks by placing scripted content in the query string. Below is an example of a request using a sample application followed by the relevant portion of the response.
[Request]
GET /webapps-simple/jsp/source.jsp?<script>alert(document.cookie)</script>
HTTP/1.0
[Response snippet]
Exception Report
<b>Message: </b>Internal Server Error< br>
<p>
<b>Exception</b>
<pre>javax.servlet.ServletException: Invalid JSP file
<script>alert(document.cookie)</script>
at
org.apache.jasper.runtime.PageContextImpl.handle
PageException(PageContextImpl.java:471)
at _jasper._jsp._source_jsp._jspService(_source_jsp.java:88)
Issue 4: Incorrect local file permissions and plaintext passwords
Severity: Medium
-------------------------------------
When installing SunONE on Windows 2000 the default installation directory is C:sun. Any file or directory created in this directory will be world-readable. The "statefile" located at C:sunappserver7statefile contains a plaintext username and password to the administrative server. .
Remediation
-------------------------------------
Sun Microsystems was contacted on the 18th of March 2003 and again on numerous occasions without results. We hope that by publishing this information, the vendor will correct these problems. Unfortunately, there is no remediation procedure for the first, second or third issues. For the last issue, "Incorrect local file permissions and plaintext passwords" we recommend that the permissions of the statefile be changed so that only the administrator can access it.
[Contact Information]
Contact Information
spilabs@spidynamics.com
SPI Dynamics, Inc.
115 Perimeter Center Place N.E.
suite 270
Atlanta, GA. 30346
Toll-Free Phone: (866) 774-2700
SPI Dynamics was founded in 2000 by a team of accomplished Web security specialists; SPI Dynamics is the leader in Web application security technology. With such signature products as WebInspect, SPI Dynamics is dedicated to protecting companies' most valuable assets. SPI Dynamics has created a new breed of Internet security products for the Web application, the most vulnerable yet least secure component of online business infrastructure.
Copyright (c) 2003 SPI Dynamics, Inc. All rights reserved worldwide.
[Release Date]: May 27, 2003
[System Affected]
* Sun-ONE Application Server 7.0 for Windows 2000/XP
[Description]
During a brief audit of a SunONE Application Server installation on Windows 2000, SPI Labs discovered a number of vulnerabilities. Each of the vulnerabilities is described in detail below. The complete advisory is also available from our website at: http://www.spidynamics.com/sunone_alert.html.
Issue 1: JSP source code disclosure
Severity: High
-------------------------------------
It is possible to view the source code of JSP applications by changing the case of the file extension in the HTTP request. The vulnerability is due to Unix code being ported to the Microsoft Windows platform where the filesystem is case insensitive. When a request is received, the server performs a case sensitive check to determine if the request ends in ".jsp". If it does, the JSP engine will process it. Otherwise, it will see if it can retrieve the requested resource from the filesystem. On Unix operating systems, this will fail because of "file.jsp" cannot be opened by asking for "file.JSP" However, on Windows the file will be returned because the filesystem is case insensitive. Below is an example of a normal request/response, followed by the same request/response with the case change applied. The headers and response data have been trimmed for clarity.
[Original request]
GET /hello.jsp HTTP/1.0
[Original response]
HTTP/1.1 200 OK
Server: Sun-ONE-Application-Server/7.0
(more headers)
<html>
<head><title>Hello World JSP Example</title></head>
<body>
<h1>Hello World</h1>
It is Fri March 14 15:29:40 EST 2003 and is a beautiful Spring day.
</body></html>
[Request with case change]
GET /hello.JSP HTTP/1.0
[Response with case change]
HTTP/1.1 200 OK
Server: Sun-ONE-Application-Server/7.0
(more headers)
<html>
<head><title>Hello World JSP Example</title></head>
<body>
<h1>Hello World</h1>
It is <%= new java.util.Date().toString() %> and is a beautiful Spring day.
</body></html>
Issue 2: Log evasion
Severity: Medium
-------------------------------------
Only the first 4042 characters of a request URI are logged, even though the maximum URI length appears to be 4096 characters. This gives an attacker 54 characters to construct an attack with. Although it is possible that an administrator would still notice the unusual requests, he or she would be unable to determine what files or parameters the attacker would be requesting. Because of this, the administrator would not be able to find out what components of their system are being exploited. Below is an example request for /hello.jsp, as well as the log data. The headers, request and response data have been trimmed for clarity.
[Request for /hello.jsp]
GET
/AAAAAAAAAAAAAA[ up to 4042 characters]/../hello.jsp HTTP/1.0
[Console message]
WARNING: HTTP4198: flex log buffer overflow- greater than 4096 characters
Server log file
[04/Mar/2003:10:52:05] WARNING ( 1304): HTTP4198: flex log buffer overflow- greater than 4096 characters
Access log file
172.16.10.47 - - [04/Mar/2003:10:52:04 -0800] "GET
/AAAAAAAAAA[ up to 4042 characters] ...
The name of the file that was accessed does not appear in the logs.
Issue 3: Cross site scripting
Severity: Low
-------------------------------------
If an error occurs while processing a Java application, it may be possible to execute cross-site scripting attacks by placing scripted content in the query string. Below is an example of a request using a sample application followed by the relevant portion of the response.
[Request]
GET /webapps-simple/jsp/source.jsp?<script>alert(document.cookie)</script>
HTTP/1.0
[Response snippet]
Exception Report
<b>Message: </b>Internal Server Error< br>
<p>
<b>Exception</b>
<pre>javax.servlet.ServletException: Invalid JSP file
<script>alert(document.cookie)</script>
at
org.apache.jasper.runtime.PageContextImpl.handle
PageException(PageContextImpl.java:471)
at _jasper._jsp._source_jsp._jspService(_source_jsp.java:88)
Issue 4: Incorrect local file permissions and plaintext passwords
Severity: Medium
-------------------------------------
When installing SunONE on Windows 2000 the default installation directory is C:sun. Any file or directory created in this directory will be world-readable. The "statefile" located at C:sunappserver7statefile contains a plaintext username and password to the administrative server. .
Remediation
-------------------------------------
Sun Microsystems was contacted on the 18th of March 2003 and again on numerous occasions without results. We hope that by publishing this information, the vendor will correct these problems. Unfortunately, there is no remediation procedure for the first, second or third issues. For the last issue, "Incorrect local file permissions and plaintext passwords" we recommend that the permissions of the statefile be changed so that only the administrator can access it.
[Contact Information]
Contact Information
spilabs@spidynamics.com
SPI Dynamics, Inc.
115 Perimeter Center Place N.E.
suite 270
Atlanta, GA. 30346
Toll-Free Phone: (866) 774-2700
SPI Dynamics was founded in 2000 by a team of accomplished Web security specialists; SPI Dynamics is the leader in Web application security technology. With such signature products as WebInspect, SPI Dynamics is dedicated to protecting companies' most valuable assets. SPI Dynamics has created a new breed of Internet security products for the Web application, the most vulnerable yet least secure component of online business infrastructure.
Copyright (c) 2003 SPI Dynamics, Inc. All rights reserved worldwide.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
