WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Memo: Re: Errors displayed on a web server

From: tim.m.james () hsbc com
Date: Tue, 05 Jul 2005 16:57:44 +0100




Benoni,

Looks like out-of-the-box WebSphere 3.x behaviour for missing /
non-existent WebSphere resources. By default there is no 404 error page for
WebSphere. If you don't specify one it gives this recursive error 404
trying to load your 404 page which is missing....etc. etc....good isn't it
? Then WebSphere dumps its stack trace showing the internal calls WebSphere
made leading up to the point of the error.

Maybe more worrying is the fact that they seem to be using this Srv*
servlet to forward onto other resources, but when they don't exist they let
the exception get thrown all the way to the JVM and don't catch it in the
parent servlet, resulting in the messy stack trace being displayed. The
exception should have been caught by their servlet and a nice error message
displayed instead. This is Java 101 territory.....oh, and they can't spell
"delivered" either.

I prepare to be corrected but I don't think this gives attackers something
to use particularly. It's sloppy and looks bad and leaks info that doesn't
need to be leaked, but it probably isn't exploitable on its own. It might
give a foothold for more though.

Hope this helps,

Tim





BĂ©noni MARTIN <Benoni.MARTIN () libertis ga> on 05 Jul 2005 15:18

To:    webappsec () securityfocus com
cc:
bcc:

Subject:    Errors displayed on a web server


Hi list,

I am currently performing a pen-test on a company's web server, and I found
the following error display when testing some random-generated URLs. It
seems to be some Java code, but as I do not know this language, anyone
skilled on tha can tell me if this stuff can be useful for further attacks
or not (the real company name has been hidden behind ****)?






<---------- // Snip ---------->



A recursive error was detected.
The server cannot use specified error page. Please check the application
error-path.


Original Error:
Error Message: File not found: //profile*
Error Code: 404
Target Servlet: File Serving Enabler
Error Stack:

--------------------------------------------------------------------------------

Root Error-1: File not found: //profile*

com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: //profile*
 at java.lang.Throwable.fillInStackTrace(Native Method)
 at java.lang.Throwable.fillInStackTrace(Compiled Code)
 at java.lang.Throwable.<init>(Compiled Code)
 at java.lang.Exception.<init>(Compiled Code)
 at javax.servlet.ServletException.<init>(Compiled Code)
 at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.SimpleFileServlet.doGet(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.IdleServletState.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.ServletInstance.service(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(Compiled
 Code)
 at com.ibm.servlet.engine.srt.WebAppInvoker.handleInvocationHook(Compiled
 Code)
 at
 com.ibm.servlet.engine.invocation.CachedInvocation.handleInvocation(Compiled
 Code)
 at
 com.ibm.servlet.engine.srp.ServletRequestProcessor.dispatchByURI(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.OSEListenerDispatcher.service(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp$ServiceRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp.notifySQEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQEventSource.notifyEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.notifyService(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.outofproc.OutOfProcThread$CtlRunnable.run(Compiled
 Code)
 at java.lang.Thread.run(Thread.java:479)





Recursive Error:
Error Message: Server caught unhandled exception from servlet
[Srv***********]: Requested path : /ga/profile* is not deliverd by this
application !
Error Code: 0
Target Servlet: null
Error Stack:

--------------------------------------------------------------------------------

Root Error-1: Requested path : /ga/profile* is not deliverd by this
application !

javax.servlet.ServletException: Requested path : /ga/profile* is not
 deliverd by this application !
 at java.lang.Throwable.fillInStackTrace(Native Method)
 at java.lang.Throwable.fillInStackTrace(Compiled Code)
 at java.lang.Throwable.<init>(Compiled Code)
 at java.lang.Exception.<init>(Compiled Code)
 at javax.servlet.ServletException.<init>(Compiled Code)
 at com.***********.fo.engine.Srv***********.doPost(Compiled Code)
 at com.***********.fo.engine.Srv***********.doGet(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.IdleServletState.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.ServletInstance.service(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.include(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebApp.sendError(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.SimpleFileServlet.doGet(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.IdleServletState.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.ServletInstance.service(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(Compiled
 Code)
 at com.ibm.servlet.engine.srt.WebAppInvoker.handleInvocationHook(Compiled
 Code)
 at
 com.ibm.servlet.engine.invocation.CachedInvocation.handleInvocation(Compiled
 Code)
 at
 com.ibm.servlet.engine.srp.ServletRequestProcessor.dispatchByURI(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.OSEListenerDispatcher.service(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp$ServiceRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp.notifySQEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQEventSource.notifyEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.notifyService(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.outofproc.OutOfProcThread$CtlRunnable.run(Compiled
 Code)
 at java.lang.Thread.run(Thread.java:479)



--------------------------------------------------------------------------------

Wrapped Error-2: Server caught unhandled exception from servlet
[Srv***********]: Requested path : /ga/profile* is not deliverd by this
application !

com.ibm.servlet.engine.webapp.UncaughtServletException: Server caught
 unhandled exception from servlet [Srv***********]: Requested path :
 /ga/profile* is not deliverd by this application !
 at java.lang.Throwable.fillInStackTrace(Native Method)
 at java.lang.Throwable.fillInStackTrace(Compiled Code)
 at java.lang.Throwable.<init>(Compiled Code)
 at java.lang.Exception.<init>(Compiled Code)
 at javax.servlet.ServletException.<init>(Compiled Code)
 at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(Compiled Code)
 at com.ibm.servlet.engine.webapp.UncaughtServletException.<init>(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.include(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebApp.sendError(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.SimpleFileServlet.doGet(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.IdleServletState.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.ServletInstance.service(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(Compiled
 Code)
 at com.ibm.servlet.engine.srt.WebAppInvoker.handleInvocationHook(Compiled
 Code)
 at
 com.ibm.servlet.engine.invocation.CachedInvocation.handleInvocation(Compiled
 Code)
 at
 com.ibm.servlet.engine.srp.ServletRequestProcessor.dispatchByURI(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.OSEListenerDispatcher.service(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp$ServiceRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp.notifySQEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQEventSource.notifyEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.notifyService(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.outofproc.OutOfProcThread$CtlRunnable.run(Compiled
 Code)
 at java.lang.Thread.run(Thread.java:479)



--------------------------------------------------------------------------------

Wrapped Error-3: Server caught unhandled exception from servlet
[Srv***********]: Requested path : /ga/profile* is not deliverd by this
application !

com.ibm.servlet.engine.webapp.WebAppErrorReport: Server caught unhandled
 exception from servlet [Srv***********]: Requested path : /ga/profile* is
 not deliverd by this application !
 at java.lang.Throwable.fillInStackTrace(Native Method)
 at java.lang.Throwable.fillInStackTrace(Compiled Code)
 at java.lang.Throwable.<init>(Compiled Code)
 at java.lang.Exception.<init>(Compiled Code)
 at javax.servlet.ServletException.<init>(Compiled Code)
 at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(Compiled Code)
 at com.ibm.servlet.engine.webapp.WebApp.sendError(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.SimpleFileServlet.doGet(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at javax.servlet.http.HttpServlet.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictServletInstance.doService(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet._service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.IdleServletState.service(Compiled Code)
 at com.ibm.servlet.engine.webapp.StrictLifecycleServlet.service(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.ServletInstance.service(Compiled Code)
 at
 com.ibm.servlet.engine.webapp.ValidServletReferenceState.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.ServletInstanceReference.dispatch(Compiled
 Code)
 at
 com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.handleWebAppDispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.dispatch(Compiled
 Code)
 at com.ibm.servlet.engine.webapp.WebAppRequestDispatcher.forward(Compiled
 Code)
 at com.ibm.servlet.engine.srt.WebAppInvoker.handleInvocationHook(Compiled
 Code)
 at
 com.ibm.servlet.engine.invocation.CachedInvocation.handleInvocation(Compiled
 Code)
 at
 com.ibm.servlet.engine.srp.ServletRequestProcessor.dispatchByURI(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.OSEListenerDispatcher.service(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp$ServiceRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.SQEventListenerImp.notifySQEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQEventSource.notifyEvent(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.notifyService(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.serverqueue.SQWrapperEventSource$SelectRunnable.run(Compiled
 Code)
 at
 com.ibm.servlet.engine.oselistener.outofproc.OutOfProcThread$CtlRunnable.run(Compiled
 Code)
 at java.lang.Thread.run(Thread.java:479)




 <---------- Snip // ---------->




************************************************************
HSBC Bank plc
Registered Office: 8 Canada Square, London E14 5HQ
Registered in England - Number 14259
Authorised and regulated by the Financial Services Authority
************************************************************


-----------------------------------------
This E-mail is confidential.
It may also be legally privileged. If you are not the addressee you may not
copy, forward, disclose or use any part of it. If you have received this
message in error, please delete it and all copies from your system and
notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely secure, error or
virus-free. The sender does not accept liability for any errors or
omissions.
Previous By Date Next
Previous By Thread Next

Current thread: