Bugtraq: gnujsp: dir- and script-disclosure

[Thomas Springer <thomas.springer () tuev-sued de>]

---
mod: 
for verifying this, ask your favourite google for sites running gnujsp, eg
+"/scripts/gnujsp/".
if you want to get a fix first - go for it, before you release this. 
I tried to contact two sites running gnujsp asking for help with a fix -
but they didn't even bother to reply. I'm too busy for installing gnjusp
and doing further research myself.

tom
---

Most sites running apache/gnujsp are vulnerable to directorylisting,
scriptsource disclosure and httpd-restrictions bypass.

Requesting http://site/servlets/gnujsp/[dirname]/[file] on a site running
gnujsp, reveals directory-listing of any webdir including wwwroot, it also
reveals the script-source of certain (not all!) script-types, depending on
webserver-config.

Wrapping the url with /servlets/gnujsp/ bypasses
directory/file-restrictions in http.conf or .htaccess, files and
directory-structures can be displayed along with the .htaccess-file.

Very few sites running gnujsp seem to be partially or complete immune to
this behaviour, most are vulnerable.
The /servlets/gnujsp/ is easy to guess, it appears in many error-messages.

I don't know enough about gnujsp to provide a solution - but it seems to be
kind of a configuration flaw in standard-config of gnujsp.
I only tested on apache - maybe other servers with gnujsp installed are
vulnerable too.

I contacted the gnujsp-devolpers (according to the rather old AUTHORS-file)
at 02/15/2002 without any response so far.

Maybe someone else familiar with gnujsp could provide a solution.


Gruesse,

 Thomas Springer
 (IT Security)

TUEV Informatik Service
Westendstr. 199
80806 München
Tel. 089 5791-2069
thomas.springer () tuev-sued de
(pgp-signed mail welcome)