mailing list archives
gnujsp: dir- and script-disclosure
From: Thomas Springer <thomas.springer () tuev-sued de>
Date: Tue, 19 Feb 2002 15:51:01 +0100
for verifying this, ask your favourite google for sites running gnujsp, eg
if you want to get a fix first - go for it, before you release this.
I tried to contact two sites running gnujsp asking for help with a fix -
but they didn't even bother to reply. I'm too busy for installing gnjusp
and doing further research myself.
Most sites running apache/gnujsp are vulnerable to directorylisting,
scriptsource disclosure and httpd-restrictions bypass.
Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running
gnujsp, reveals directory-listing of any webdir including wwwroot, it also
reveals the script-source of certain (not all!) script-types, depending on
Wrapping the url with /servlets/gnujsp/ bypasses
directory/file-restrictions in http.conf or .htaccess, files and
directory-structures can be displayed along with the .htaccess-file.
Very few sites running gnujsp seem to be partially or complete immune to
this behaviour, most are vulnerable.
The /servlets/gnujsp/ is easy to guess, it appears in many error-messages.
I don't know enough about gnujsp to provide a solution - but it seems to be
kind of a configuration flaw in standard-config of gnujsp.
I only tested on apache - maybe other servers with gnujsp installed are
I contacted the gnujsp-devolpers (according to the rather old AUTHORS-file)
at 02/15/2002 without any response so far.
Maybe someone else familiar with gnujsp could provide a solution.
TUEV Informatik Service
Tel. 089 5791-2069
thomas.springer () tuev-sued de
(pgp-signed mail welcome)
- gnujsp: dir- and script-disclosure Thomas Springer (Feb 20)