Bugtraq mailing list archives
Re: gnujsp: dir- and script-disclosure
From: Stefan Gybas <gybas () trustsec de>
Date: Wed, 20 Feb 2002 16:54:22 +0100
On Tue, Feb 19, 2002 at 03:51:01PM +0100, Thomas Springer wrote:
Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running gnujsp, reveals directory-listing of any webdir including wwwroot, it also reveals the script-source of certain (not all!) script-types, depending on webserver-config.
The actual hole is in JServ (a servlet engine for which GNUJSP was mainly written) since it sets the servlet PathInfo to [dirname]/[file] in the above example. The GNUJSP servlet then incorrectly assumes that the request was made to "http://site/[dirname]/[file]".
I don't know enough about gnujsp to provide a solution - but it seems to be kind of a configuration flaw in standard-config of gnujsp.
There's a "denyuri" configuration option for GNUJSP but this is not a good fix since 1. The same GNUJSP servlet can be called with multiple URIs (e.g. /servlets/gnujsp and /servlet/gnujsp) 2. It does not seem to work with GNUJSP 1.0.0 and JServ at all when there are servlet aliases A more secure solution is the attached patch for GNUJSP 1.0.0 and 1.0.1 which forbids all direct requests to the GNUJSP servlet. Only files which are mapped to the GNUJSP servlet (in most cases *.jsp) can be accessed then. -- Stefan Gybas trustsec IT solutions GmbH
Attachment:
gnujsp-1.0.0.patch
Description:
Attachment:
gnujsp-1.0.1.patch
Description:
Current thread:
- gnujsp: dir- and script-disclosure Thomas Springer (Feb 19)
- Re: gnujsp: dir- and script-disclosure Stefan Gybas (Feb 20)