From stuart.mcclure@FOUNDSTONE.COM Thu Jul 13 02:32:50 2000 From: stuart.mcclure@FOUNDSTONE.COM To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 12 Jun 2000 01:22:38 -0400 Subject: IBM WebSphere JSP showcode vulnerability [The following text is in the "ISO-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory IBM WebSphere Application Server ---------------------------------------------------------------------- FS Advisory ID: FS-061200-3-IBM Release Date: June 12, 2000 Product: WebSphere Application Server Vendor: IBM http://www-4.ibm.com/software/webservers/ appserv/ Vendor Advisory: http://www-4.ibm.com/software/webservers/ appserv/efix.html Type: JSP show code vulnerability Severity: Low to Medium (depending on JSP coding practices) Author: Saumil Shah (saumil.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: Windows NT Vulnerable versions: All version up to and including 3.0.2 Foundstone advisory: http://www.foundstone.com ---------------------------------------------------------------------- Description A show code vulnerability exists with IBM's WebSphere Application Server for NT allowing an attacker to view the source code of Java Server Pages (JSP) files. Details The problem lies with the way WebSphere assigns handlers to specific file types. For example, files with the extensions .jsp are registered as Java Server Pages by WebSphere. WebSphere being case sensitive, interprets .jsp and .JSP to be two extensions. If a request for a .JSP file is made to WebSphere, it cannot find a handler for the .JSP extension and therefore, it uses the default handler, which is of type "text". Since the underlying file system is Windows NT, it does not differentiate between upper case and lower case filenames, and hence the requested file ends up being served up as plain text without being parsed or interpreted. On WebSphere running on Unix servers, it flags a "File not Found" error. Proof of Concept Normally, JSP files are referred to in URLs using lower case extensions. For example: http://site.running.websphere/index.jsp By changing any letters in the extension (.jsp) to upper case, it is possible to obtain the unparsed source code of the JSP file. For the above example, the exploit would be to access the following URL: http://site.running.websphere/index.JSP Solution Workaround none Fix An efix (APAR #: PQ38936) is available and will be posted at: http://www-4.ibm.com/software/webservers/appserv/efix.html Credits We would like to thank Shreeraj Shah for drawing our attention to this vulnerability. We'd also like to thank IBM for their prompt and serious attention to this issue. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way. [Part 2, Text/HTML (charset: ISO-8859-1 "Latin 1") 254 lines] [Unable to print this part]