Tech Talk

June 22, 1998

June 29, 1998

July 1, 1998


More Web Servers Affected By Source Code-Revealing Bug

As Netscape Communications and O'Reilly & Associates scramble to patch a bug that could reveal the source code behind some sensitive Internet scripts, San Diego Source programmers have identified at least two more popular Web server programs that are vulnerable. JavaWebServer, published by Sun Microsystems, and Purveyor, published by Process Software Corp., are only the most recent additions to a growing list of programs directly or indirectly vulnerable to the bug. The glitch only affects programs running under Microsoft Windows, indicating it is tied to the Windows 95, NT and 98 operating systems. The bug, discovered last week, makes it possible for users to view the source code of a Web page by appending certain characters to the end of a Web page address. In some situations, the bug will reveal the script for codes that are meant to be processed on the Web server and would not otherwise be visible. The bug is similar to one found last year in Microsoft's Internet Information Server Web server software. The bug is important to developers building sites around JavaWebServer because it could reveal the source code used when executing "servlets." A servlet is a server-side Java program that uses Sun's Java Servlet API to interact with the Web server. Under normal circumstances, the contents of the tags used to call a servlet would be invisible to the end user. Sun Microsystems did not return calls Monday seeking comment on the finding. For users of Purveyor, the bug is a problem because no fix is coming. "The Purveyor Encrypt WebServer for Windows NT was retired by Process Software approximately 18 months ago," a spokesman for Process Software said after the company confirmed the bug's existence. The San Diego Source was able to identify more than 800 sites, including at least one San Diego company, still running Purveyor. American Digital Network, which hosts sites for hundreds of local companies, started using the product in 1995, but has since adopted UNIX. "While some users still have it deployed in a non-supported state, Process Software will not be addressing any bugs in it," Process' spokesman said. According to Steve Wallace, ADNC's network manager, the company is running only a handful of sites under Purveyor, and none of them support server-side scripts or CGIs. "We will rapidly move [the remaining] clients to a more secure platform," Wallace said after being told of the server's vulnerability. "Purveyor was something we picked up in 1995. We haven't even touched it since."


June 22, 1998

June 29, 1998

July 1, 1998