Summary: Server vulnerabilities are the origin of security issues, and hackers have mostly attacked websites to find the vulnerabilities of the other party. So only understand your own vulnerabilities, website management people can take corresponding countermeasures to prevent external attacks. Here is a common vulnerability to some servers (including web servers and JSP servers).
What is any file vulnerability of Apache leaks?
There is an MOD_REWRITE module in Apache 1.2 and later versions, which are used to specify the absolute path mapped on the special URLS on the web server file system. If you transfer a rewrite rule that contains the correct expression parameters, the attacker can view any files on the target host.
The following example shows the rewriting rule instruction (where the first line is only included):
Rewriterule / Test/(.*) / usr / local / data / test-stuff / $ 1
Rewriterule /More-icons/(.*) / ICONS / $ 1
Rewriterule /go/(.*) http://www.apacheweek.com/$1
Affected system:
1) Apache 1.3.12
2) Apache 1.3.11win32
3) Apache 1.2.x
Not affected system: Apache 1.3.13
How to add special characters to the HTTP request caused the exposed JSP source code file?
Unify Ewave ServletExec is a Java / Java Servlet Engine plugin for web servers, such as Microsoft IIS, Apache, Netscape Enterprise servers, and more.
When one of the following characters is added to an HTTP request, servletexec will return the JSP source code file.
.
% 2E
% 2B
/
% 5C
% 20
% 00
Successful use of this vulnerability will result in the source code of the specified JSP file, for example: Use any of the following URL requests to output the source code for the specified JSP file:
1) http: //target/directory/jsp/file.jsp.
2) http://target/directory/jsp/file.jsp.
3) http://target/directory/jsp/file.jsp
4) http://target/directory/jsp/file.jsp+
5) http: //target/directory/jsp/file.jsp/
6) http://target/directory/jsp/file.jsp\
7) http://target/directory/jsp/file.jsp
8) http: //target/directory/jsp/file.jsp�
Affected system:
1) Unify Ewave ServletExec 3.0c
2) Sun Solaris 8.0
3) Microsoft WINDOWS 98
4) Microsoft Windows NT 4.0
5) Microsoft Windows NT 2000
6) Linux kernel 2.3.x
7) IBM AIX 4.3.2
8) HP HP-UX 11.4
solution:
If you do not use any static pages or images, you can configure a default servlet and map "/" to this default servlet. This is called when it is received when a URL that is not mapped to a servlet is received. In this case, the default servlet can only return "Did not find the file". If a static page or image is used, it is still possible to make this configuration, but it is necessary to make this default servlet process to a legal static page and an image request. Another possibility is to map * .jsp , *. Jsp. And * .jsp /, etc. to a servlet, and the servlet just returns "Did not find file". For the case of * .jsp% 00 and * .jsp% 20, the mapping should be entered in the form of not coded. For example, the mapping of * .jsp% 20 should enter "* .jsp". Note that% 20 is converted into a space character.
What are the vulnerabilities in Tomcat?
Tomcat 3.1 There is exposed website path problem
Tomcat 3.1 is a software that supports JSP 1.1 and Servlets 2.2 in the Apache software environment. It has a security problem when sending a non-existing JSP request to expose the full path to the website on the website.
Example:
http://narco.guerrilla.sucks.co:8080/Anything.jsp
The results show that:
Error: 404
Location: / producthes.jsp
JSP file "/appsrv2/jakarta-tomcat/webapps/root/aNything.jsp" Not found
Solution: Upgrade to the new version
Tomcat exposes JSP file content
The Java Server Pages (JSP) type file is registered with the '.jsp' extension on Tomcat, Tomcat is a file name sensitive, '. JSP' and '.jsp' are different types of file extensions. If you submit a link to Tomcat, Tomcat can't find '.jsp', you will respond to requests with the default '.text' file type. Because the case where the case file name in the NT system is non-sensitive, the requested file will be sent in the form of text.
If "File Not Found" error message will appear on the UNIX server.
How to implement code protection for Tomcat under Windows
Some of Tomcat have a vulnerability of leak source code. If you change the suffix of the file to uppercase when calling a JSP page in your browser, the source code of this JSP file will be fully output into the browser (maybe anything in the browser window No, you only need to view the HTML source file). In this way, is the source code of the website?
Don't worry, the solution is very simple, write all the combinations of various suffixes to Tomcat_home / conf /meb.xml, so tomcat will treat the JSP of different retrore names, and will not disclose the code.
JSP
* .jsp
JSP
* .jsp
? lt; servlet-name> JSP
* .jsp
JSP
* .jsp
JSP
* .Jsp
JSP
* .Jsp
JSP
* .Jsp
JSP
* .Jsp
What can Allair Jrun vulnerabilities?
Allair JRUN illegally reads Web-INF vulnerability
There is a serious security vulnerability in Allaire's JRun server version 2.3. It allows an attacker to view the web-inf directory in the JRUN 3.0 server.
If the user is submitted to the URL request, the URL is to become a malformed URL by adding a "/", and all subdirectories under Web-INF will be exposed. The attacker uses the vulnerability to remotely obtain the read permissions of all files in the web-inflicity of the target host system. For example, using this URL will expose all files under Web-INF:
http://site.running.jrun: 8100 // Web-Inf /
Affected system: Allaire Jrun 3.0
Solution: Download and install the patch:
Allaire Patch JR233P_ASB00_28_29
http://download.allaire.com/jrun/jr233p_asb00_28_29.zip
Windows 95/98 / NT / 2000 and Windows NT Alpha
Allaire Patch JR233P_ASB00_28_29TAR
http://download.allaire.com/jrun/jr233p_asb00_28_29.tar.gz
UNIX / Linux Patch - GNU Gzip / Tar
Allaire JRun 2.3 View any file vulnerability
There is a multi-display code vulnerability on Allaire's JRUN server 2.3. This vulnerability allows an attacker to view the source code for any file in the root directory on the web server.
JRUN 2.3 uses Java Servlets to parse a variety of types of pages (for example: HTML, JSP, etc.). Based on Rules.properties and Servlets.properties file settings, you may use the URL prefix "/ servlet /" to call any servlet.
It may use JRun's SSIFILTER Servlet to retrieve any files on the target system. The following 2 examples show URLs that can be used to retrieve any files:
Http: // jrun: 8000 / servlet / com.livesoftware.jrun.plugins.ssi.ssifilter /../.. t e jj
http: // jrun: 8000 / servlet / com.livesoftware.jrun.plugins.ssi.ssifilter /../../..../../../../ boot.ini
Http: // jrun: 8000 / servlet / com.livesoftware.jrun.plugins.ssi.ssifilter /../../Winnt/repair/sam../winnt/repair/sam
http: // jrun: 8000 / servlet / ssifilter /../../ Test.jsp
http: // jrun: 8000 / servlet / ssifilter /../../../../../ boot.ini
http: // jrun: 8000 / servlet / ssifilter /../../../../../../WinNT / Repair / Sam._
Note: Suppose JRUN is running on the host "JRUN", port 8000.
Affected system: Allaire Jrun 2.3.x
Solution: Download and install the patch:
Allaire Patch JR233P_ASB00_28_29
http://download.allaire.com/jrun/jr233p_asb00_28_29.zip
Windows 95/98 / NT / 2000 and Windows NT Alpha
Allaire Patch JR233P_ASB00_28_29TAR
http://download.allaire.com/jrun/jr233p_asb00_28_29.tar.gz
UNIX / Linux Patch - GNU Gzip / Tarallaire JRun 2.3 Remote Execution Arbitrary Command Vulnerability
There is a security vulnerability on Allaire's JRUN server 2.3 that allows remote users to compile / execute any files on the web server as JSP code. If the target file requested by the URL uses the prefix "/ servlet /", the JSP interpretation execution function is activated. Use "../" in the target file path requested by the user, it is possible to access files other than the root directory of the web server. Using this vulnerability requesting user input on the target host, it will seriously threaten the security of the target host system.
E.g:
Http: // jrun: 8000 / servlet / com.livesoftware.jrun.plugins.jsp.jsp /../../ Path / to /Temp.txt
http: // jrun: 8000 / servlet / jsp /../../ path / to / temp.txt
Affected system: Allaire Jrun 2.3.x
Solution: Download and install the patch:
Allaire Patch JR233P_ASB00_28_29
http://download.allaire.com/jrun/jr233p_asb00_28_29.zip
Windows 95/98 / NT / 2000 and Windows NT Alpha
Allaire Patch JR233P_ASB00_28_29TAR
http://download.allaire.com/jrun/jr233p_asb00_28_29.tar.gz
UNIX / Linux Patch - GNU Gzip / Tar
JRUN 2.3.X Sample File Exposure Site Security Information
JRun 2.3.x has some servlet sample files in the JRUN_HOME / servlets directory, which is JRun 2.3.x used to load and execute servlets files. Files that all extensions ".java" or "class" must be deleted because these files expose the security information of the site. E.g:
http://www.xxx.xxx/servlet/sessionServlet exposes HTTP connection information held by the current server. The content in the JRUN_HOME / JSM-Default / Services / JWS / HTDOCS directory should also be deleted. This directory saves the '.jsp' file with the demo server function, some of which involves accessing the server file system and exposing the server settings. For example, the path check for file "ViewSource.jsp" is the default shutdown, which can be used to access server file systems.
solution:
1) Install 2.3.3 Service Pack
2) Delete all instructions, demos, samples, and textbooks from the server, including the documentation in the JRUN_HOME / Servlets directory and the JRUN_HOME / JSM-Default / Services / JWS / HTDOCS directory when installing JRUN 2.3.x.
Related sites: http://www.allaire.com/
What are the vulnerabilities in IBM WebSphere Application Server?
1, IBM WebSphere Application Server 3.0.2 There is exposed source code vulnerability
IBM WebSphere Application Server allows attackers to view all files above the web server root directory. IBM WebSphere uses Java Servlets to handle multiple page types (such as HTML, JSP, JHTML, etc.). The different servlets of In Addition is processed for different pages. If a request file is not registered, WebSphere will use a default servlet. If the file path will begin with "/ servlet / file /" This default servlet will be called this request file that will be displayed or compiled. Affected system: all versions of IBM WebSphere 3.0.2
Example:
If a URL of a request file is "login.jsp" :: http: //site.running.Websphere/login.jsp, then access http: //site.running.websphere/servlet/file/login.jsp will see this The source code of the file.
Solution: Download and install patch
http://www-4.ibm.com/software/webservers/appserv/efix.html
Related sites: http://www-4.ibm.com/software/webservers/appserv/
IBM WebSphere Application Server exposed JSP file content
The Java Server Pages (JSP) type file is registered with the '.jsp' extension in WebSphere Application Serve, WebSphere is the file name sensitive, '. JSP' and '.jsp' are different types of file extensions. If you submit a link to WebSphere, WebSphere is not found to respond to requests with the default '.text' file type. Because the case where the case file name in the NT system is non-sensitive, the requested file will be sent in the form of text.
If "File Not Found" error message will appear on the UNIX server.
Solution: Click here to download the patch
Related sites: http://www-4.ibm.com/software/webservers/appserv/efix.html
What are the exposure source code vulnerabilities in BEA WebLogic?
Affected version:
On all systems
BEA WebLogic Enterprise 5.1.x
BEA WebLogic Server and Express 5.1.x
BEA WebLogic Server and Express 4.5.x
BEA WebLogic Server and Express 4.0.x
BEA WebLogic Server And Express 3.1.8
This vulnerability enables an attacker to read the source code for all files in the web directory.
WebLogic relies on four main Java Servlets to serve different types of files. These servlets are:
1) FILESERVLET - for simple HTML page
2) SSISERVLET - For Server Side Includes page
3) PageCompileServlet - For Jhtml page
4) JSPSERVLET - For Java Server page
Look at the WebLogic.Properties file, here is the registration value of each servlets:
1) WebLogic.httpd.register.file = WebLogic.Servlet.FileServlet2) WebLogic.httpd.register. *. Shtml = WebLogic.Servlet.serversideInCludeServlet
3) WebLogic.httpd.register. *. Jhtml = WebLogic.Servlet.jhtmlc.pageCompileServlet
4) WebLogic.httpd.register. *. Jsp = WebLogic.Servlet.jspservlet
More weblogic.properties files, if a request file is not registered, then a default servlet will be called. The following is how the default servlet is registered.
# Default servlet registration
# -------------------------------------------------
# Virtual name of the default servlet if no matching servlet
# is found to webLogic.httpd.defaultServlet = file
So if the file path in the URL begins to "/ file /", it will cause WebLogic to call the default servlet, which will make the web pages to be displayed directly and compile.
Argumentation:
Just join "/ file /" before you want to see the original URL path, let the files do not have analyzed and compiled, directly exposed the source code. Such as: http: //site.running.weblogic/login.jsp, then just access http: //site.running.weblogic/file/login.jsp will see the contents of the file in the web browser.
The following is how to use:
1. View unsatisfactory pages by enforce SSISERVLET:
The server site is registered in the WebLogic.properties file in WebLogic.httpd.register. *. Html = WebLogic.Servlet.ServersideInCludeServlet
Use the SSISERVLET to automatically process wildcards (*) via URL. So if the file path begins to /*.SHTML, the mandatory file is processed by the SSISERVLET. If you use other file types such as .jsp and .jhtml, you can view unsatisfactory JSP and JHTML code. Example: http://www.xxx.com/*.shtml/login.jsp
2. View unsatisfactory pages by enforce FILESERVLET:
WebLogic configures consolehelp servlet using the FILOGESERVLET, in the WebLogic.Properties file, you can know:
# For console help. Do not motify.
WebLogic.httpd.register.consoleHelp = WebLogic.Servlet.FileServlet
WebLogic.httpd.initargs.consoleHelp = / defaultFileName = / WebLogic / Admin / Help / Nocontent.html
WebLogic.Allow.execute.weblogic.servlet.consoleHelp = Everyone
So if the file path will cause WebLogic to use FileServlet to display the unsteady or compiled files, for example: http://www.xxx.com/consolehelp/login.jsp Solution:
Do not use the setting method in the example to set the FileServlet. This may expose the source code of your JSP / JHTML file. Check out the online documentation:
http://www.weblogic.com/docs51/admindocs/http.html#file
The example of the registrations is as follows:
WebLogic.httpd.register.file = WebLogic.Servlet.FileServlet
WebLogic.httpd.initargs.file = defaultfilename = index.html
WebLogic.httpd.defaultServlet = file
There are two ways to avoid this problem:
(1) Register those file servlets use the random username and increase the difficulty of guessing. For example, using the same as such a registration file servlet is 12FOO34:
WebLogic.httpd.register.12foo34 = WebLogic.Servlet.FileServlet
WebLogic.httpd.initargs.12foo34 = defaultfilename = index.html
WebLogic.httpd.defaultServlet = 12foo34
(2) Registration file servlet Use Wild Cards to declare that you will use all of these file extensions. Example Registration File Servlet is .html file service:
WebLogic.httpd.register. *. html = weblogic.servlet.FileServlet
WebLogic.httpd.initargs. *. html = defaultFileName = index.html
WebLogic.httpd.defaultServlet = *. html
Use the above method to repeat the following types of files * .gif, * .jpg, * .pdf, * .txt, etc.
Note: This information is required to have proof in the BEA WebLogic Server and Express file: http://www.weblogic.com/docs51/admindocs/lockdown.html
Another: Please pay attention to the new version and upgrade it.
