Re: Patch for Potential Vulnerability in the execution of JSPs outside doc_root

[Alex Yiu <ayiu () US ORACLE COM>]

Hi, Jon,

(This message was sent to jon () latchkey com, 
security () apache org, secalert_us () oracle com)

Regarding to Jon's posting at:
http://www.securityfocus.com/templates/archive.pik
e?list=1&mid=162712

I would like to provide more information. 
Basically, there are two factors in the security 
issue in OracleJSP 1.1.0 (running on Apache/JServ) 
bundled in Oracle 8.1.7:

(1) OracleJSP 1.1.0 itself:
Although OracleJSP 1.1.0 handles URL like:

http://HOST/a.jsp/../../../../../../b.jsp
http://HOST/../b.jsp

correctly (without security issue in these cases),

it does not handle URL like:
http://HOST/a.jsp//..//..//..//..//..//../b.jsp

correctly on Windows NT.

This has been fixed in OJSP 1.1.2.0.

(2) Apache/JServ:

http://HOST/servlets/a.jsp

("/servlets" is the path mounted with a servlet 
zone. .jsp is associated with a servlet handling 
JSP requests. ) 

The getPathTranslated() returned a misleading 
non-null value, which is "/servlets/a.jsp" (or 
"c:\servlets\a.jsp" on NT)

This behavior will lead most of JSP engines to 
execute a unexpected jsp, if such a jsp exists.

The Apache/JServ maintainence people within Oracle 
are fixing this problem also.

One more issue: it's about Tomcat and Jasper. FYI, 
it seems to me that Tomcat 3.1 final release has 
security issues on URL cases like these:

http://HOST/a.jsp/../../../../../../b.jsp
http://HOST/../b.jsp
http://HOST/a.jsp//..//..//..//..//..//../b.jsp

I have not checked with Tomcat 3.2 or 4.0. It may 
have been fixed.


Regards,
Alex Yiu


** The statements and opinions expressed here are 
my own and **
** do not necessarily represent those of Oracle 
Corporation. **