SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Sun Java Application Server (Sun ONE) Vendors:  Sun
Sun ONE Application Server Discloses JSP Source Code to Remote Users and Passwords to Local Users
SecurityTracker Alert ID:  1006858
SecurityTracker URL:  http://securitytracker.com/id?1006858
CVE Reference:  CAN-2003-0411 ,  CAN-2003-0412 ,  CAN-2003-0413 ,  CAN-2003-0414   (Links to External Site)
Updated:  Dec 22 2003
Original Entry Date:  May 28 2003
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 7.0
Description:  Some vulnerabilities were reported in the Sun ONE Application Server, affecting Windows platforms. A local user can view passwords. A remote user can view JSP source code, submit long URLs that will not be fully logged, and conduct cross-site scripting attacks.

SPI Dynamics reported several flaws, each of which is described below.

A remote user can reportedly submit an HTTP request for a file with the case of the file extension changed to be the opposite case to view JSP source code. The software checks to determine if the file extension is ".jsp" (in lower case) and, if so, does not display the source. Because the Windows filesystem is case insensitive, the request of the same file with a ".JSP" (in upper case) extension will result in the source of the file being displayed [CVE: CAN-2003-0411]. A demonstration exploit HTTP request is provided:

GET /hello.JSP HTTP/1.0

It is also reported that the server logs only the first 4042 characters of a requested URL, even though the server will process URLs as long as 4096 characters [CVE: CAN-2003-0412]. A remote user can request specially crafted URLs that may be valid but will not be properly logged by the system.

It is also reported that the software may display user-supplied HTML code without filtering in certain error cases, permitting cross-site scripting attacks [CVE: CAN-2003-0413]. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Sun ONE Application Server and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL using an example Java application is provided:

GET /webapps-simple/jsp/source.jsp?<script>alert(document.cookie)</script> HTTP/1.0

It is also reported that the software stores the username and password for the administrative server in a world-readable file during installation [CVE: CAN-2003-0414]. The report indicates that the information is stored in the 'statefile' in the 'C:\sun' directory in a default installation on Windows 2000. A local user can view the password information.

The full SPI Dynamics advisory is available at:

http://www.spidynamics.com/sunone_ale rt.html

The vendor has reportedly been notified without response (on May 18, 2003 and several times since then).
Impact:  A remote user can view JSP source code.

A remote user can submit long URLs that will be processed by the server but will not be fully logged by the server.

A local user can view the username and password for the administrative server.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Sun ONE Application Server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry.

The author of the report has provided a workaround for the password disclosure vulnerability, recommending that the permissions of the statefile be changed so that only the administrator can access the file.
Vendor URL:  www.sun.com/ (Links to External Site)
Cause:  Access control error, Input validation error, State error
Underlying OS:  Windows (2000), Windows (XP)
Reported By:  "SPI Labs" <spilabs@spidynamics.com>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 4 2003 (Sun Issues Partial Fix) Re: Sun ONE Application Server Discloses JSP Source Code to Remote Users and Passwords to Local Users
Sun has fixed some of the flaws and provided workarounds for the others.
Dec 22 2003 (Sun Issues Final Fix) Sun ONE Application Server Discloses JSP Source Code to Remote Users and Passwords to Local Users
Sun has released an additional fix.
Jul 22 2004 (Sun Issues Partial Fix for 6.1) Sun ONE Application Server Discloses JSP Source Code to Remote Users and Passwords to Local Users
Sun has issued a fix for the cross-site scripting flaw in the 'webapps-simple' sample application in version 6.1.


 Source Message Contents

 

[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC