|
|
GNUJSP 存在文件泄露漏洞
发布时间:2002-02-22
更新时间:2002-02-22
严重程度:中
威胁程度:远程非授权文件存取
错误类型:配置错误
利用方式:服务器模式
BUGTRAQ ID:4125
受影响系统GNUJSP GNUJSP 1.0.0
- Debian Linux 2.2
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0SP1
- Microsoft Windows NT Workstation 4.0SP2
- Microsoft Windows NT Workstation 4.0SP3
- Microsoft Windows NT Workstation 4.0SP4
- Microsoft Windows NT Workstation 4.0SP5
- Microsoft Windows NT Workstation 4.0SP6a
GNUJSP GNUJSP 1.0.1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0SP1
- Microsoft Windows NT Workstation 4.0SP2
- Microsoft Windows NT Workstation 4.0SP3
- Microsoft Windows NT Workstation 4.0SP4
- Microsoft Windows NT Workstation 4.0SP5
- Microsoft Windows NT Workstation 4.0SP6a 详细描述
GNUJSP (http://www.klomp.org/gnujsp/)存在安全漏洞,可以通过提交特殊的WEB
请求导致目录遍历而文件目录可读,并可以造成脚本源代码泄露问题。
测试代码
http://site/servlets/gnujsp/[dirname]/[file]
解决方案
下载使用如下补丁程序:GNUJSP GNUJSP 1.0.0:
Debian Upgrade gnujsp_1.0.0-5_all.deb
http://security.debian.org/dists/stable/updates/contrib/binary-all/gnujsp_1.0.0-5_all.deb
相关信息
Thomas Springer <thomas.springer@tuev-sued.de>.
参考:http://online.securityfocus.com/advisories/3887
http://online.securityfocus.com/archive/1/257027
相关主页:http://www.klomp.org/gnujsp/
|
