151-3895-5886

apache tomcat的snoop servlet漏洞

2019年09月19日 维尼网络
bugtraq id 1500
class Access Validation Error
cve GENERIC-MAP-NOMATCH
remote Yes
local Yes
published July 24, 2000
updated July 24, 2000
vulnerable IBM Websphere Application Server 3.0.21
- Sun Solaris 8.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
IBM Websphere Application Server 3.0
- Sun Solaris 8.0
- Novell Netware 5.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
IBM Websphere Application Server 2.0
- Sun Solaris 8.0
- Novell Netware 5.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3

Certain versions of the IBM WebSphere application server ship with a vulnerability which allows malicious users to view the source of any document which resides in the web document root directory.

This is possible via a flaw which allows a default servlet (different servlets are used to parse different types of content, JHTML, HTMl, JSP, etc.) This default servlet will display the document/page without parsing/compiling it hence allowing the code to be viewed by the end user.

The Foundstone, Inc. advisory which covered this problem detailed the following method of verifying the vulnerability - full text of this advisory is available in the Credit section of this entry:

"It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the 网址 causes the file to be displayed without being
parsed or compiled. For example if the 网址 for a file "日志in.jsp" is:

then accessing

would cause the unparsed contents of the file to show up in the web browser."


阅读更多内容
上一篇CNET JSP BASIC:建立一个JSP网站
下一篇j2ee的jdbc配置指南--连接sql server 数据库

声明:本页内容由郑州维尼网络收集编辑所得,所有资料仅供用户参考,转载请保留此链接http://www.zzwn.cn/cms/3537.html

本文标签: 漏洞 apache Servlet Tomcat snoop

 

相关资讯 Related Info
相关分类 News Classification
解决方案 Solutions
相关热点 Hot spot
javascript实现网页跳转的办法 javascript实现网页跳转的办法
  1. 我们的承诺
  2. 我们的实力
  3. 我们的未来
郑州做网站咨询电话 建站咨询

151-3895-5886

网站备案安全放心网站

地址:郑州市上街区和昌都汇广场 / 电话:151-3895-5886
客服QQ: 7758021 / 邮箱:admin@zzwn.cn
Copyright © 2010-2019 郑州融科网络 版权所有