Bugtraq: Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")

From: Bill Stoddard <bill () wstoddard com>
Date: Thu, 12 Feb 2004 14:10:58 -0500

Wang Yun wrote:


TOPIC:
======
Apache + Resin Reveals JSP Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/")

Description:
============
Security vulnerability has been found in Windows NT/2000 Systems that have Apache 1.3.29 + Resin 2.1.12 installed. The 
vulnerability allows remote users view script Source Code And Access files in the Forbidden Directory.

Exploits:
=========
http://apache/index.jsp%20
It is possible to cause the Apache server to send back the content of index.jsp.

http://apache/WEB-INF../
It is possible to cause the Apache server to send back the list of "/WEB-INF/" Directory.

Analyze:
========

1.Apache think "/WEB-INF../" unequal to "/WEB-INF/" So find this Directory by itself.2."/WEB-INF/" Directory not Forbidden in Apache Config files.3."d:\resin\doc\>cd WEB-INF.." legit in Windows Systems.


Sorry for my poor english.

lovehacker
China


Don't put your jsp's under DocumentRoot. Same advice goes for CGI scripts, servlets, et. al.

Bill

By Date By Thread

Current thread:

RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/"), (continued)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Bill Stoddard (Feb 13)