__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Sun ONE Application Server May Disclose JavaServer Pages (JSP) Source [Sun(sm) Alert Notification 55221] June 4, 2003 19:00 GMT Number N-103 [REVISED 07 Jun 2004] ______________________________________________________________________________ PROBLEM: There are four issues with the Sun ONE Application Server: 1) JSP Source code Disclosure - It may be possible to view the source code of JSP applications deployed on the Windows platform. 2) Log evasion - Only the first 4042 characters of a request URI are logged, even though the maximum URI length appears to be 4096 characters. 3) Cross-site scripting - A sample application shipped with the product may be vulnerable to cross-site scripting attacks. 4) Statefile permissions on Windows - This file can be used as a template for silent installation on other machines. PLATFORM: * Sun ONE Application Server 7.0 SE * Sun ONE Application Server 7.0 PE DAMAGE: 1) It is possible to view the source code of JSP applications by changing the case of the file extension in the HTTP request. The vulnerability is due to Unix code being ported to the Microsoft Windows platform where the filesystem is case insensitive. 2) This vulnerability gives an attacker 54 characters to construct an attack with. 3) If an error occurs while processing a Java application, it may be possible to execute cross-site scripting attacks by placing scripted content in the query string. 4) The statefile contains a plaintext username and password to the administrative server. SOLUTION: Upgrade and apply workaround as stated in Sun's Alert Notification. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The most serious vulnerability is the ASSESSMENT: possibility of viewing source code of JSP applications, and cross-site scripting attacks. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-103.shtml ORIGINAL BULLETIN: http://au.sunsolve.sun.com/search/document.do?assetkey=1-26-55221-1 ______________________________________________________________________________ REVISION HISTORY: 6/07/04 - updated Sun Alert Notification 55221 to reflect changes of 12/19/03 and 06/07/04. [***** Start Sun(sm) Alert Notification 55221 *****] Sun(sm) Alert Notification Sun Alert ID: 55221 Synopsis: Sun One Application Server May Disclose JSP Source Category: Security Product: Sun ONE Application Server BugIDs: 4838909, 4773335, 4840324, 4733798 Avoidance: Workaround, Upgrade State: Resolved Date Released: 03-Jun-2003, 19-Dec-2003 Date Closed: 19-Dec-2003 Date Modified: 19-Dec-2003 1. Impact SPI Labs have reported the following issues with Sun ONE Application Server. 1. JSP Source code Disclosure It may be possible to view the source code of JSP applications deployed on the Windows platform. 2. Log evasion When a request is sent to the Application Server with a long URI only the first 4042 characters of the request URI are logged. 3. Cross-site scripting A sample application shipped with the product may be vulnerable to cross- site scripting attacks. 4. Statefile permissions on Windows A statefile is created during installation of the Application Server. This file can be used as a template for silent installation on other machines. On the Windows platform, this file is world-readable. These issues are described in the SPI Security Advisory located at: http://www.securityfocus.com/archive/1/322946/2003-05-25/2003-05-31/0 2. Contributing Factors These issues can occur in the following releases: Sun ONE Application Server 7.0 SE Sun ONE Application Server 7.0 PE For supported architectures and OS versions see: Standard Edition: http://wwws.sun.com/software/download/products/3ec3e772.htm Platform Edition: http://wwws.sun.com/software/download/products/3ec1008e.htm 3. Symptoms Log evasion The following error message may be found in the server log: WARNING: HTTP4198: flex log buffer overflow- greater than 4096 character 4. Relief/Workaround The following are workarounds for the cross-site scripting and the statefile permission issues: 1. Cross-site scripting Un-deploy webapp-simple.ear if it is deployed. The deployed application will be in the following directory: $AS_DEF_DOMAINS_PATH/domains//applications/j2ee-modules/webapps- simple_1 The admin GUI will also show the deployed applications. Note: Both AS_INSTALL and AS_DEF_DOMAINS_PATH are defined in the asenv.conf file 2. Statefile permissions on Windows When installing the SunONE Application Server on Windows, the default installation directory is "C:\sun" Any file or directory created in this directory will be world-readable. The "statefile" located at "C:\sun\appserver7\statefile" contains a plain text username and password to the administrative server. After installation, the administrator can change the permission of this file for use to "administrator only" or delete this file since it's main purpose is for silent installation using this file on multiple machines. 5. Resolution The cross-site scripting issue has been addressed with Sun ONE Application Server 7.0 Update Release 1 or later. It is available for download at: Standard Edition: http://wwws.sun.com/software/download/app_servers.html Platform Edition: http://wwws.sun.com/software/download/app_servers.html The logging and JSP source code issues has been addressed with SunONE Application Server 7.0 Update release 2 or later. It is available for download at: http://wwws.sun.com/software/download/app_servers.html Note: Administrators installing the Sun ONE Application Server on Windows should either change the permission of the statefile or delete the file. There will not be a code fix for this issue. The recommendation to change permissions or delete the statefile will be documented in the release notes of Update 2. Change History 19-Dec-2003: Updated Resolution section Changed State to Resolved This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, th! e Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun(sm) Alert Notification 55221 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems, Inc. and SPI Dynamics, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-093: Cisco VPN 3000 Concentrator Vulnerabilities N-094: HP Potential Security Vulnerability in wall(1M) N-095: Red Hat Multiple Vulnerabilities in KDE N-096: Red Hat New Kernel Fixes Local Security Issues N-097: Red Hat Updated Tcpdump Packages N-098: Microsoft Cumulative Patch for Internet Information Service (IIS) N-099: Apache 2.0.46 Release Fixes Security Vulnerabilities N-100: Microsoft Windows Media Services ISAPI Extenstion Flaw N-101: Microsoft Cumulative Patch for Internet Explorer (IE) N-102: Hewlett-Packard Potential Security Vulnerabilities in CDE