COMMAND

    java

SYSTEMS AFFECTED

    Java Web Server oleder than 1.1

PROBLEM

    Leland Baker from San Diego Daily Transcript reported about a  new
    Source Code bug affecting all versions of Java Web Server and  was
    discovered by one of their readers.

    For the  second time  in less  than a  month, Sun Microsystems has
    confirmed the existence of a bug that could expose the source code
    behind  server-side  scripts  contained  within  Web pages running
    under Java Web Server.  First reported to the San Diego Source  by
    a  one  of  its  readers,  the  bug  appears  to affect only newly
    upgraded  versions  of  the  software.   The  new bug is virtually
    identical to one discovered last  month by programmers at the  San
    Diego Source.  That bug,  which exposed  a Web  page's source code
    when a  user appended  a "%20"  to the  end of  a URL,  ultimately
    affected Web server software from Netscape, O'Reilly & Associates,
    Process Software and Sun Microsystems. In some situations, the bug
    could  reveal  the  code  behind  scripts  that  are  meant  to be
    processed on the  Web server and  would not otherwise  be visible.
    That  bug,  however,  was  tied  to  a  flaw in the Windows 95, NT
    and 98 operating  system, while the  new bug appears  to be native
    to Java  Web Server.   Programmers at  the San  Diego Source  have
    been able to exploit the new bug on versions Java Web Server 1.1.2
    running under Solaris and Windows NT.  One of the issues addressed
    in Java Web Server  1.1.2 was the "%20"  bug.  Rob Clark,  project
    lead for Sun's  JavaWeb Server, said  the bug potentially  affects
    all versions of  Java Web Server  numbered 1.1 or  later and is  a
    completely  separate  issue  than  earlier bugs affecting products
    running under  Microsoft Windows.   "The end  result is  the same,
    but this  bug is  completely unrelated.  This is  not a  Microsoft
    bug," Clark said.  Clark said  the bug is an unwanted side  effect
    resulting from  Java Web  Server's Invoker  Servlet, which  allows
    developers to drop  all servlets into  a single directly  and then
    invoke them  from a  tag within  the Web  page.   The feature  was
    intended to  allow Web  site developers  to execute  servlets with
    virtually no administration.  Unfortunately, by entering the  path
    to the invoker within the URL, a user is essentially able to  tell
    the Invoker service to execute  a specific file.  For  example, if
    the sample.jhtml file can be accessed by the URL:

        http://www.myserver.com/sample.jhtml

    you can access the source code of the sample.jhtml file by using
    the URL

        http://www.myserver.com/servlet/file/sample.jhtml

    In  most  cases,  such  a  bug  wouldn't present any real security
    threat because the ability to view  the source code of a Web  page
    is  already  an  option  in  most  popular browsers. But if a page
    contains server-side scripts, which commonly are used to  interact
    with  servlets  and  company  databases,  user names and passwords
    could be revealed.

SOLUTION

    Sun already posted a  simple workaround, which involves  disabling
    the invoker, to its Java Web Server site at

        http://jserv.java.sun.com

    Versions of Java Web Server  older than 1.1 are not  vulnerable to
    the this bug.