TOPIC: ====== Apache + Resin Reveals JSP Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/")
Description: ============ Security vulnerability has been found in Windows NT/2000 Systems that have Apache 1.3.29 + Resin 2.1.12 installed. The vulnerability allows remote users view script Source Code And Access files in the Forbidden Directory.
Exploits: ========= http://apache/index.jsp%20 It is possible to cause the Apache server to send back the content of index.jsp.
http://apache/WEB-INF../ It is possible to cause the Apache server to send back the list of "/WEB-INF/" Directory.
Analyze:
========
1.Apache think "/WEB-INF../" unequal to "/WEB-INF/" So find this Directory by itself. 2."/WEB-INF/" Directory not Forbidden in Apache Config files. 3."d:\resin\doc\>cd WEB-INF.." legit in Windows Systems.
Sorry for my poor english.
lovehacker China
Don't put your jsp's under DocumentRoot. Same advice goes for CGI scripts, servlets, et. al.
Bill
