SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   jo! Vendors:   Tagtraum Industries Project
jo! Java Application Server Dot URL Bug Discloses Server Files to Remote Users
SecurityTracker Alert ID:  1004652
SecurityTracker URL:  http://securitytracker.com/id/1004652
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 29 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.0b7
Description:   A vulnerability was reported in the jo! web application server. A remote user may be able to retrieve files in the 'WEB-INF' directory.

Westpoint issued a security advisory covering several J2EE application servers, including the jo! Java application server. According to the advisory, files stored within the WEB-INF directory and its subdirectories are not intended to be served to web clients. These files may include Java class files and configuration files, such as the 'web.xml' deployment descriptor file.

A remote user can reportedly append a period ('.') to the end of the WEB-INF portion of a URL request for WEB-INF files to retrieve these files. In some cases, client session information may also be accessed.

Some demonstration exploit URLs are provided:

http://[target]/WEB-INF./web.xml
http://[target]/WEB-INF./classes/MyServlet.class

Impact:   A remote user can obtain .java and .class files for J2EE applications, configuration files, and possibly client session information.
Solution:   The vendor has released a fixed version (1.0b7 and later versions), available at:

http://www.tagtraum.com/download_frameset.html

Vendor URL:  www.tagtraum.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] wp-02-0002: 'WEB-INF' Folder accessible in Multiple Web Application Servers


Westpoint Security Advisory

Title:         'WEB-INF' Folder accessible in Multiple Web Application 
Servers
Risk Rating:     Medium
Software:     Multiple Vendors
Platforms:    Win32 Only (WinNT, Win2k)
Vendor URL:     See Below
Author:        Matt Moore <matt@westpoint.ltd.uk>
Date:        28th June 2002
Advisory ID#:    wp-02-0002

Overview:
=========

This vulnerability affects the Win32 versions of multiple j2ee servlet
containers / application servers. By making a particular request to the
servers in question it is possible to retrieve files located under
the 'WEB-INF' directory.

Details:
========

A web application ('web app') is a collection of servlets, Java Server
Pages, HTML docs, images etc etc that are packaged in such a way that
they can be portably deployed on any servlet-enabled web server.

Applications are typically packaged in .WAR files. There is a standard
structure for these files which looks something like:

index.html
blah.jsp
images/on.gif
images/off.gif
WEB-INF/web.xml
WEB-INF/lib/blah.jar
WEB-INF/classes/MyServlet.class
WEB-INF/classes/com/bigco/things/servlet/bigcoWebServlet.class
etc...

This can then be deployed to the application server. The WEB-INF directory
is 'special'; anything under it is not to be served directly to web clients
as it contains Java class files (for servlets etc) and configuration
information for the web application. Hence, when an application server
receives any requests for /WEB-INF/ it will usually return a '403 
forbidden'
or even a '404 Not Found' HTTP error.

The web.xml file which resides in WEB-INF is what is called a
'deployment descriptor' and contains detailed information about the web
application, e.g.: URL mappings, servlet registration details, welcome
files, MIME types, page-level security constraints...

A vulnerability exists in multiple Win32 servlet engines whereby if you
append a dot ('.') to the end of WEB-INF in the requested URL, it is 
possible
to retrieve the contents of any files within that directory.

It is possible to download the .java and .class files for a given 
application,
and access web.xml and other configuration files, and in some cases client
session information.

For example:

www.someserver.com/WEB-INF./web.xml

or

www.someserver.com/WEB-INF./classes/MyServlet.class

This vulnerability is Win32 specific because of a quirk in the way the 
Windows
file system operates. Basically, the file system ignores a trailing '.' 
character
on a given path or filename.

Vulnerable Products
===================
Sybase EA Server 4.0 ( www.sybase.com )
OC4J - Oracle Containers for J2EE ( www.oracle.com )
Orion 1.5.3 - ( www.orionserver.com ).
JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun ( www.macromedia.com )
HPAS 8.0 - Hewlett Packard App Server ( www.bluestone.hp.com )
Pramati 3.0 - Pramati App Server ( www.pramati.com )
Jo - Jo Webserver ( http://sourceforge.net/projects/tagtraum-jo/ or 
www.tagtraum.de )

Patch Information:
==================

Sybase EA Server
----------------
Upgrade to EAServer 4.1 (also fixed in maintenane release for 3.6.1)

OC4J - Oracle Containers for J2EE
---------------------------------
Fixed in the latest version of OC4J / 9iAS. Download OC4J v9.0.2 from:

http://otn.oracle.com/software/products/ias/devuse.html

Note: Two previous versions (v1.0.2.2.1 and  v1.0.2.2 are
still available from this page, both of which still have this
vulnerability (as of 28/06/02). If you are using either of
these versions you should upgrade.

Vulnerable developer preview was available for download from
http://otn.oracle.com/tech/java/oc4j/content.html . This download
has now been fixed.

Orion Server
------------
Fixed in version 1.5.4

JRun 3.0,3.1, 4.0
--------------------
Vendor contacted 31/1/02.
Bug confirmed in 3.1 by vendor on 06/02/02.
Vendor Alert: http://www.macromedia.com/v1/handlers/index.cfm?ID=23164
Cumulative Patch available for JRun 3.0, 3.1 / 4.0

HPAS 8.0
--------
Vendor contacted 07/02/02, bug confirmed by vendor on same day. Will be 
fixed
in Maintenance Pack 8 (MP8)

Pramati App Server
------------------
Vendor contacted on 04/02/02. Fixes will be available in Service Pack 1.

Jo Webserver
------------
Fixed in version 1.0b7 and later.

Additional Information
======================

A Nessus plugin for this vulnerability should shortly be available from
www.nessus.org:

generic_web-inf.nasl

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0002.txt





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC