Hi, Jon,
(This message was sent to [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED])
Regarding to Jon's posting at:
http://www.securityfocus.com/templates/archive.pik
e?list=1&mid=162712
I would like to provide more information.
Basically, there are two factors in the security
issue in OracleJSP 1.1.0 (running on Apache/JServ)
bundled in Oracle 8.1.7:
(1) OracleJSP 1.1.0 itself:
Although OracleJSP 1.1.0 handles URL like:
http://HOST/a.jsp/../../../../../../b.jsp
http://HOST/../b.jsp
correctly (without security issue in these cases),
it does not handle URL like:
http://HOST/a.jsp//..//..//..//..//..//../b.jsp
correctly on Windows NT.
This has been fixed in OJSP 1.1.2.0.
(2) Apache/JServ:
http://HOST/servlets/a.jsp
("/servlets" is the path mounted with a servlet
zone. .jsp is associated with a servlet handling
JSP requests. )
The getPathTranslated() returned a misleading
non-null value, which is "/servlets/a.jsp" (or
"c:\servlets\a.jsp" on NT)
This behavior will lead most of JSP engines to
execute a unexpected jsp, if such a jsp exists.
The Apache/JServ maintainence people within Oracle
are fixing this problem also.
One more issue: it's about Tomcat and Jasper. FYI,
it seems to me that Tomcat 3.1 final release has
security issues on URL cases like these:
http://HOST/a.jsp/../../../../../../b.jsp
http://HOST/../b.jsp
http://HOST/a.jsp//..//..//..//..//..//../b.jsp
I have not checked with Tomcat 3.2 or 4.0. It may
have been fixed.
Regards,
Alex Yiu
** The statements and opinions expressed here are
my own and **
** do not necessarily represent those of Oracle
Corporation. **
