![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Thomas Springer <thomas.springer@tuev-sued.de> To: bugtraq@securityfocus.com Subject: gnujsp: dir- and script-disclosure Date: Tue, 19 Feb 2002 15:51:01 +0100 Cc: pab@heise.de --- mod: for verifying this, ask your favourite google for sites running gnujsp, eg +"/scripts/gnujsp/". if you want to get a fix first - go for it, before you release this. I tried to contact two sites running gnujsp asking for help with a fix - but they didn't even bother to reply. I'm too busy for installing gnjusp and doing further research myself. tom --- Most sites running apache/gnujsp are vulnerable to directorylisting, scriptsource disclosure and httpd-restrictions bypass. Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running gnujsp, reveals directory-listing of any webdir including wwwroot, it also reveals the script-source of certain (not all!) script-types, depending on webserver-config. Wrapping the url with /servlets/gnujsp/ bypasses directory/file-restrictions in http.conf or .htaccess, files and directory-structures can be displayed along with the .htaccess-file. Very few sites running gnujsp seem to be partially or complete immune to this behaviour, most are vulnerable. The /servlets/gnujsp/ is easy to guess, it appears in many error-messages. I don't know enough about gnujsp to provide a solution - but it seems to be kind of a configuration flaw in standard-config of gnujsp. I only tested on apache - maybe other servers with gnujsp installed are vulnerable too. I contacted the gnujsp-devolpers (according to the rather old AUTHORS-file) at 02/15/2002 without any response so far. Maybe someone else familiar with gnujsp could provide a solution. Gruesse, Thomas Springer (IT Security) TUEV Informatik Service Westendstr. 199 80806 München Tel. 089 5791-2069 thomas.springer@tuev-sued.de (pgp-signed mail welcome)