Home page logo

bugtraq logo Bugtraq mailing list archives

gnujsp: dir- and script-disclosure
From: Thomas Springer <thomas.springer () tuev-sued de>
Date: Tue, 19 Feb 2002 15:51:01 +0100

for verifying this, ask your favourite google for sites running gnujsp, eg
if you want to get a fix first - go for it, before you release this. 
I tried to contact two sites running gnujsp asking for help with a fix -
but they didn't even bother to reply. I'm too busy for installing gnjusp
and doing further research myself.


Most sites running apache/gnujsp are vulnerable to directorylisting,
scriptsource disclosure and httpd-restrictions bypass.

Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running
gnujsp, reveals directory-listing of any webdir including wwwroot, it also
reveals the script-source of certain (not all!) script-types, depending on

Wrapping the url with /servlets/gnujsp/ bypasses
directory/file-restrictions in http.conf or .htaccess, files and
directory-structures can be displayed along with the .htaccess-file.

Very few sites running gnujsp seem to be partially or complete immune to
this behaviour, most are vulnerable.
The /servlets/gnujsp/ is easy to guess, it appears in many error-messages.

I don't know enough about gnujsp to provide a solution - but it seems to be
kind of a configuration flaw in standard-config of gnujsp.
I only tested on apache - maybe other servers with gnujsp installed are
vulnerable too.

I contacted the gnujsp-devolpers (according to the rather old AUTHORS-file)
at 02/15/2002 without any response so far.

Maybe someone else familiar with gnujsp could provide a solution.


 Thomas Springer
 (IT Security)

TUEV Informatik Service
Westendstr. 199
80806 M√ľnchen
Tel. 089 5791-2069
thomas.springer () tuev-sued de
(pgp-signed mail welcome)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]