Web Application Servers
Created 7/9/02
Impact
A remote attacker could gain access to application source
code and configuration information, which could lead to
further attacks resulting in authorized access.
Background
A web application is a collection of programs, web
pages, and configuration files which work together. There
are several web application servers available which support
the HTTP protocol and the Java 2 Enterprise
Edition (J2EE) platform. These servers typically keep all
of the web application source code and configuration files
in a directory called WEB-INF which is
protected from outside users. Of particular importance is
the web.xml file, which contains detailed
information about the web application.
The Problem
Due to an irregularity in the Windows operating system, it
is possible for a remote attacker to gain access to the
WEB-INF directory by including a trailing
dot character on the directory name in an HTTP
request. This flaw could allow
a remote attacker to view any files under the directory,
including Java source code, configuration information,
client session information, and the web.xml
file.
The following web application servers are vulnerable if they
are running on Windows platforms:
- Sybase EA Server 4.0
- Oracle Containers for J2EE (OC4J)
- Orion 1.5.3
- Macromedia's JRun 3.0, 3.1 and 4
- Hewlett Packard App Server (HPAS) 8.0
- Pramati 3.0
- Jo Webserver
Resolution
- Sybase EA Server: Upgrade to EA Server 4.1.
- OC4J: Upgrade to OC4J 9.0.2. Do not
download versions 1.0.2.2.1 or 1.0.2.2, which still
have this vulnerability.
- Orion: Upgrade to version 1.5.4.
- JRun: Install the patch.
- HPAS: Install Maintenance Pack 8 when it becomes
available.
- Pramati: Install Service Pack 1 when it becomes
available.
- Jo Webserver: Upgrade to 1.0b7 or higher.
Where can I read more about this?
This vulnerability was posted to
VulnWatch.