COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle JSP/SQLJSP handlers in 8.1.7

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #36.
    Vulnerable  are  found  Oracle  JSP/SQLJSP  handlers, installed by
    default Oracle 8.1.7 Windows 2000 (other versions not tested).

    It is possible to view files outside the web root.  Also  possible
    is  execution  of  .JSP  files  outside  the  web root in the same
    partiotion as the web server's root.

    Georgi thinks there are at least 2 vulnerabilities with JSP/SQLJSP
    handlers.  Basically these are directory traversal vulnerabilities

    1) The following URL:

        http://oraclehost/servlet//..//../o.jsp

       will execute c:\o.jsp if there is such file.  As a side  effect
       this shall create the directory C:\servlet\_pages\_servlet  and
       shall put in it the java source and .class file of o.jsp

    2) The following URL:

        http://oraclehost/a.jsp//..//..//..//..//..//../winnt/win.ini

       shall read c:\winnt\win.ini.  It is normal to receive an  error
       to this request.  To see the result go to:

        http://oraclehost/_pages

       and look in the directories for .java files containing "win".

    3) The following URL:

        http://oraclehost/bb.sqljsp//..//..//..//..//..//../winnt/win.ini

       shall read c:\winnt\win.ini.  It is normal to receive an  error
       to this request.  To see the result go to:

        http://oraclehost/_pages

       and look in the directories for .java files containing "win".

    All urls were tested with  Netscape 4.76 or direct HTTP  requests.
    Do not work with IE.

    Basically,  there  are  two  factors  in  the  security  issue  in
    OracleJSP 1.1.0 (running on Apache/JServ) bundled in Oracle 8.1.7.
    OracleJSP 1.1.0 itself, although OracleJSP 1.1.0 handles URL like:

        http://HOST/a.jsp/../../../../../../b.jsp
        http://HOST/../b.jsp

    correctly (without  security issue  in these  cases), it  does not
    handle URL like:

        http://HOST/a.jsp//..//..//..//..//..//../b.jsp

    correctly on Windows NT.

    Apache/JServ:

        http://HOST/servlets/a.jsp

    ("/servlets" is  the path  mounted with  a servlet  zone. .jsp  is
    associated with a servlet handling JSP requests. )

    The  getPathTranslated()  returned  a  misleading  non-null value,
    which is "/servlets/a.jsp" (or  "c:\servlets\a.jsp" on NT).   This
    behavior will  lead most  of JSP  engines to  execute a unexpected
    jsp, if such a jsp exists.

    One more issue: it's  about Tomcat and Jasper.   FYI, it seems  to
    that Tomcat  3.1 final  release has  security issues  on URL cases
    like these:

        http://HOST/a.jsp/../../../../../../b.jsp
        http://HOST/../b.jsp
        http://HOST/a.jsp//..//..//..//..//..//../b.jsp

SOLUTION

    First problem has been fixed in OJSP 1.1.2.0.

    Tomcat 3.2 or 4.0 were not checked - it may have been fixed.

    Patch for Potential Vulnerability in the execution of JSPs outside
    doc_root is  also available.   Upgrade to  OJSP Release  1.1.2.0.0
    which is available on Oracle Technology Network's OJSP web site.