While pen-testing a client's webserver with WebSphere in place, I came across a bug and I'm not sure whether the servlet is to blame or rather some part of WebSphere. The case is this: After authenticating to the site, the user is sent to http://site/servlet/App?target=/index.jsp. If you change the target and ../ your way back up and then down again, accessing a file that exists such as /etc/passwd gives the following error: Error 403 An error has occured while processing request:http://site/ErrorReporter Message: File not found: /../../../../../../etc/passwd Target Servlet: file StackTrace: ---------------------------------------------------------------------------- ---- Root Error-1: File not found: /../../../../../../etc/passwd com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: /../../../../../../etc/passwd --snip-- If I give it something that doesn't exist, such as /etc/passw, I get your standard 404. However, if I use the poision null byte trick and request /etc/passwd%00.jsp (only works with the .jsp extension), I receive my file. Consequently, a /etc%00.jsp and doing a view source will let me browse directories. My instinct is that this happens because the servlet doesn't check for a null byte in the string, but I thought it was worthwhile to mention. Thanks for any input. Steve
This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 18:30:43 PDT