JSP multiple web application servers cause JSP source code leakage vulnerabilities
Author: Zhonglian Green Alliance Chineseization: unknown Compilation: JSPER
Affected systems:
BEA Systems Weblogic 4.5.1
- Microsoft Windows NT 4.0
BEA Systems Weblogic 4.0.4
- Microsoft Windows NT 4.0
BEA Systems Weblogic 3.1.8
- Microsoft Windows NT 4.0
IBM Websphere Application Server 3.0.21
- Sun Solaris 8.0
- Microsoft Windows NT 4.0
- Linux kernel 2.
- IBM AIX 4.3
Unify eWave ServletExec 3.0
- Sun Solaris 8.0
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
- Linux kernel 2.
- IBM AIX 4.3.2
- HP HP-UX 11.4
describe:
--------------------------------------------------------------------------------
Many webservers are case sensitive, but do not handle the case mapping of suffixes correctly. As long as the JSP or JHTML file suffix is changed from lowercase to uppercase in the URL, the web server cannot correctly process the file suffix and display it as plain text. The attacker may obtain the source code of these programs.
<* Source: @ *>
--------------------------------------------------------------------------------
suggestion:
Unify eWave ServletExec:
Unify says that the default installed Servlet will not leak source code
BEA Systems Weblogic:
Temporary solution:
Add handler to all possible case suffixes:
.jsp file:
.jsp .Jsp .jSp .jsP .JSp .jSP .JsP .JSP
.jhtml file:
.jhtml .Jhtml .jHtml .jhTml .jhtMl .jhtmL .JHtml .JhTml
.JhtMl .JhtmL .jHTml .jHtMl .jHtmL .jhTMl .jhTmL .jhtML
.JHTml .JHtMl .JHtmL .JhTMl .JhTmL .JhtML .jHTMl .jHTmL
.jHtML .jhTML .JHTMl .JHTmL .JhTML .jHTML .JHTML
The manufacturer has provided a patch for version 3.1.8, which can be downloaded at the following address:
ftp:///pub/releases/318/
IBM WebSphere Application Server:
IBM has provided the corresponding patches at:
/software/webservers/appserv/
Updated: 2000-07-12 �
Author: Zhonglian Green Alliance Chineseization: unknown Compilation: JSPER
Affected systems:
BEA Systems Weblogic 4.5.1
- Microsoft Windows NT 4.0
BEA Systems Weblogic 4.0.4
- Microsoft Windows NT 4.0
BEA Systems Weblogic 3.1.8
- Microsoft Windows NT 4.0
IBM Websphere Application Server 3.0.21
- Sun Solaris 8.0
- Microsoft Windows NT 4.0
- Linux kernel 2.
- IBM AIX 4.3
Unify eWave ServletExec 3.0
- Sun Solaris 8.0
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
- Linux kernel 2.
- IBM AIX 4.3.2
- HP HP-UX 11.4
describe:
--------------------------------------------------------------------------------
Many webservers are case sensitive, but do not handle the case mapping of suffixes correctly. As long as the JSP or JHTML file suffix is changed from lowercase to uppercase in the URL, the web server cannot correctly process the file suffix and display it as plain text. The attacker may obtain the source code of these programs.
<* Source: @ *>
--------------------------------------------------------------------------------
suggestion:
Unify eWave ServletExec:
Unify says that the default installed Servlet will not leak source code
BEA Systems Weblogic:
Temporary solution:
Add handler to all possible case suffixes:
.jsp file:
.jsp .Jsp .jSp .jsP .JSp .jSP .JsP .JSP
.jhtml file:
.jhtml .Jhtml .jHtml .jhTml .jhtMl .jhtmL .JHtml .JhTml
.JhtMl .JhtmL .jHTml .jHtMl .jHtmL .jhTMl .jhTmL .jhtML
.JHTml .JHtMl .JHtmL .JhTMl .JhTmL .JhtML .jHTMl .jHTmL
.jHtML .jhTML .JHTMl .JHTmL .JhTML .jHTML .JHTML
The manufacturer has provided a patch for version 3.1.8, which can be downloaded at the following address:
ftp:///pub/releases/318/
IBM WebSphere Application Server:
IBM has provided the corresponding patches at:
/software/webservers/appserv/
Updated: 2000-07-12 �