0226.htm

JspServlet教程专栏 对javaservlet讲述的非常详细

<html>

<head>
<title>新时代软件教程:操作系统 主页制作 服务器 设计软件 网络技术 编程语言 文字编辑</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style>
<!--
body, table {font-size: 9pt; font-family: 宋体}
a {text-decoration:none}
a:hover {color: red;text-decoration:underline}
.1  {background-color: rgb(245,245,245)}
-->
</style>
</head>
<p align="center"><script src="../../1.js"></script></a>
<p align="center"><big><strong>JSP多种web应用服务器导致JSP源码泄漏漏洞</strong></big></p>
<div align="right">---摘自互联网</div>

<br>受影响的系统:&nbsp; <br>
BEA&nbsp; Systems&nbsp; Weblogic&nbsp; 4.5.1<br>
<br>
-&nbsp; Microsoft&nbsp; Windows&nbsp; NT&nbsp; 4.0<br>
<br>
BEA&nbsp; Systems&nbsp; Weblogic&nbsp; 4.0.4<br>
<br>
-&nbsp; Microsoft&nbsp; Windows&nbsp; NT&nbsp; 4.0<br>
<br>
BEA&nbsp; Systems&nbsp; Weblogic&nbsp; 3.1.8<br>
<br>
-&nbsp; Microsoft&nbsp; Windows&nbsp; NT&nbsp; 4.0<br>
<br>
IBM&nbsp; Websphere&nbsp; Application&nbsp; Server&nbsp; 3.0.21<br>
<br>
-&nbsp; Sun&nbsp; Solaris&nbsp; 8.0<br>
<br>
-&nbsp; Microsoft&nbsp; Windows&nbsp; NT&nbsp; 4.0<br>
<br>
-&nbsp; Linux&nbsp; kernel&nbsp; 2.3.x<br>
<br>
-&nbsp; IBM&nbsp; AIX&nbsp; 4.3<br>
<br>
Unify&nbsp; eWave&nbsp; ServletExec&nbsp; 3.0<br>
<br>
-&nbsp; Sun&nbsp; Solaris&nbsp; 8.0<br>
<br>
-&nbsp; Microsoft&nbsp; Windows&nbsp; 98<br>
<br>
-&nbsp; Microsoft&nbsp; Windows&nbsp; NT&nbsp; 4.0<br>
<br>
-&nbsp; Microsoft&nbsp; Windows&nbsp; NT&nbsp; 2000<br>
<br>
-&nbsp; Linux&nbsp; kernel&nbsp; 2.3.x<br>
<br>
-&nbsp; IBM&nbsp; AIX&nbsp; 4.3.2<br>
<br>
-&nbsp; HP&nbsp; HP-UX&nbsp; 11.4<br>
<br>
描述:<br>
<br>
--------------------------------------------------------------------------------<br>
<br>
　<br>
<br>
　　很多webserver对大小写是敏感的，但对后缀的大小写映射并没有做正确的处理。只要在URL中将JSP或者JHTML文件后缀从小写变成大写，Web服务器就不能正确处理这个文件后缀，而将其做为纯文本显示，攻击者可能得到这些程序的源代码。<br>
<br>
&lt;*&nbsp; 来源：&nbsp; stuart.mcclure@FOUNDSTONE.COM&nbsp; *><br>
<br>
--------------------------------------------------------------------------------<br>
<br>
建议:<br>
<br>
Unify&nbsp; eWave&nbsp; ServletExec:<br>
<br>
Unify说缺省安装的Servlet不会泄漏源代码<br>
<br>
BEA&nbsp; Systems&nbsp; Weblogic:<br>
<br>
临时解决办法：<br>
<br>
对所有的可能的大小写后缀增加handler处理：<br>
<br>
.jsp&nbsp; 文件:<br>
<br>
.jsp&nbsp; .Jsp&nbsp; .jSp&nbsp; .jsP&nbsp; .JSp&nbsp; .jSP&nbsp; .JsP&nbsp; .JSP<br>
<br>
.jhtml&nbsp; 文件：<br>
<br>
.jhtml&nbsp; .Jhtml&nbsp; .jHtml&nbsp; .jhTml&nbsp; .jhtMl&nbsp; .jhtmL&nbsp; .JHtml&nbsp; .JhTml<br>
<br>
.JhtMl&nbsp; .JhtmL&nbsp; .jHTml&nbsp; .jHtMl&nbsp; .jHtmL&nbsp; .jhTMl&nbsp; .jhTmL&nbsp; .jhtML<br>
<br>
.JHTml&nbsp; .JHtMl&nbsp; .JHtmL&nbsp; .JhTMl&nbsp; .JhTmL&nbsp; .JhtML&nbsp; .jHTMl&nbsp; .jHTmL<br>
<br>
.jHtML&nbsp; .jhTML&nbsp; .JHTMl&nbsp; .JHTmL&nbsp; .JhTML&nbsp; .jHTML&nbsp; .JHTML<br>
<br>
厂商已经提供一个针对3.1.8版本的补丁，可以在下列地址下载：<br>
<br>
ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zip<br>
<br>
IBM&nbsp; WebSphere&nbsp; Application&nbsp; Server:<br>
<br>
IBM已经提供了相应的补丁程序，地址在：<br>
<br>
http://www-4.ibm.com/software/webservers/appserv/efix.html&nbsp; 

  </table>
<p align="center"><script src="../../2.js"></script></a>
</body>
</html>