COMMAND

    ServletExec

SYSTEMS AFFECTED

    ServletExec AS v3.0c + web instance

PROBLEM

    Wojciech Woch found following.  Test environment:

        NT 4.0 SP6a
        IIS v4
        Sun JDK v1.2.2.006
        ServletExec AS v3.0C

    Under  a  particular  configuration,  ServletExec  AS  v3.0C  will
    disclose the source code of JSP pages when some special characters
    are appended to HTTP requests.

    Specifically, when a web instance is installed and named after  an
    existing  Web  application,  or  the  name  manually  added on the
    servletexec.servername.applications            line             in
    servletexec.properties,  the  source  code  of  a JSP page will be
    displayed if one  of the following  characters is present  and the
    end of the request:

        . and %2E
        + and %2B
        \ and %5C
        %20
        %00

    All values from %00 to %FF were checked.

    Here's  the  procedure  to  reproduce  the  behaviour  on the test
    environment  with   the  exampleWebApp   that  is   provided  with
    ServletExec.

        * Launch ServletExec_AS_30C.exe to install ServletExec AS v3.0c
        * Choose Install a ServletExec AS instance
        * Default install directories (ex: C:\Program Files\Unify\ServletExec AS)
        * Name the instance with the servername (ex: servtest)
        * Setup type is Microsoft IIS or PWS
        * Install servletexec as NT Service
        * Once the installation's complete, stop and restart IIS Admin
          and World Wide Web Publishing services
        * Start the ServletExec service (ex: ServletExec-servtest)
        * Connect to the admin servlet (ex: http://servtest/servlet/admin)
        * Go to Web applications/Configure
        * Add exampleWebApp (ex: Name=ex, URL=/ex, Location=C:\Program Files\Unify\ServletExec AS\Examples\exampleWebApp)
        * The application should be accessible under
          http://servtest/ex/jsp/simple.jsp but NOT its source code
          (returns 404 errors on attempts such as http://servtest/ex/jsp/simple.jsp.)

    We run  now the  ServletExec_AS_30C.exe setup  again to  add a web
    instance:

        * Choose Install or Update a web server adapter
        * Setup type is Microsoft IIS or PWS
        * Name of the ServletExec AS instance is as before (ex: servtest)
        * Application URL is /ex
        * Once the installation's complete, stop and restart IIS Admin
          and World Wide Web Publishing services

    At this  point, we  are able  to retrieve  the source  code of JSP
    pages accessible within the  application directory tree.   Example
    requests that produce the source are:

        http://servtest/ex/jsp/simple.jsp.
        http://servtest/ex/jsp/simple.jsp+
        http://servtest/ex/jsp/simple.jsp\
        http://servtest/ex/jsp/simple.jsp%20
        http://servtest/ex/jsp/simple.jsp%00

    In other words,  the problem seems  to occur as  soon as we  touch
    servletexec.properties and add an existing application's URL (/ex)
    as  a   parameter  to   servletexec.servtest.applications  or   to
    servletexec.servtest.aliases  (this  second  case  occurs  if   we
    choose  a  different  name  for  the  instance  during  the Update
    process - we can still view the source code).

    A similar problem was discovered by Niclas Vikstrom.  Source  code
    could  be  displayed  when  the  page  extension  was specified in
    uppercase, but the problem was fixed in v3.0C.

    Fundstone Inc. discovered two other vulnerabilites with v3.0C that
    should be fixed in v3.0E.  As of today, this version still  cannot
    be found for download at so it could not be tested.

SOLUTION

    Issue  reported  on   October  27th  to   support@servletexec.com.
    Confirmation  on  November  2nd  that  the problem was reproduced.
    A temporary  workaround was  provided (see  below).   No ETA for a
    fix.

    Unify's support provided the following workarounds for people  who
    might be impacted by  the issue:  "If  they don't have any  static
    pages or images in their  web application then they can  configure
    a default servlet by mapping  '/' to their default servlet.   This
    will cause their default servlet  to be called for any  URLs which
    don't map to a  servlet.  In this  case their default servlet  can
    just return  File Not  Found.   If they  do have  static pages  or
    images then they can still do this but they'll need to have  their
    default servlet serve up valid static pages and images."

    "Another possibility is to map  *.jsp+, *.jsp., *.jsp\, etc. to  a
    servlet which just returns File  Not Found.  For the  *.jsp%00 and
    *.jsp%20 cases  they'll need  to enter  the mappings  in unencoded
    form.   For example,  the mapping  for *.jsp%20  would need  to be
    entered as "*.jsp ".  Note  that the %20 was converted to  a space
    character."