Oracle JSP Apache/Jserv Path Translation Arbitrary JSP File Execution

medium Nessus Plugin ID 10925

Synopsis

A remote web application is vulnerable to several flaws.

Description

Detects Vulnerability in the execution of JSPs outside doc_root.

A potential security vulnerability has been discovered in Oracle JSP releases 1.0.x through 1.1.1 (in Apache/Jserv). This vulnerability permits access to and execution of unintended JSP files outside the doc_root in Apache/Jserv. For example, accessing http://www.example.com/a.jsp//..//..//..//..//..//../b.jsp will execute b.jsp outside the doc_root instead of a.jsp if there is a b.jsp file in the matching directory.

Further, Jserv Releases 1.0.x - 1.0.2 have additional vulnerability:

Due to a bug in Apache/Jserv path translation, any URL that looks like:
http://host:port/servlets/a.jsp, makes Oracle JSP execute 'd:\servlets\a.jsp' if such a directory path actually exists. Thus, a URL virtual path, an actual directory path and the Oracle JSP name (when using Oracle Apache/JServ) must match for this potential vulnerability to occur.

Vulnerable systems:
Oracle8i Release 8.1.7, iAS Release version 1.0.2 Oracle JSP, Apache/JServ Releases version 1.0.x - 1.1.1

Solution

Upgrade to OJSP Release 1.1.2.0.0, available on Oracle Technology Network's OJSP website.

Plugin Details

Severity: Medium

ID: 10925

File Name: jserv_execute.nasl

Version: 1.22

Type: remote

Family: Databases

Published: 3/27/2002

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:oracle:application_server

Required KB Items: www/apache