Tech Talk

July 20, 1998

July 24, 1998

July 27, 1998


New Sun Server Bug Surfaces

For the second time in less than a month, Sun Microsystems has confirmed the existence of a bug that could expose the source code behind server-side scripts contained within Web pages running under Java Web Server. First reported to the San Diego Source by a one of its readers, the bug appears to affect only newly upgraded versions of the software. The new bug is virtually identical to one discovered last month by programmers at the San Diego Source. That bug, which exposed a Web page's source code when a user appended a "%20" to the end of a URL, ultimately affected Web server software from Netscape, O'Reilly & Associates, Process Software and Sun Microsystems. In some situations, the bug could reveal the code behind scripts that are meant to be processed on the Web server and would not otherwise be visible. That bug, however, was tied to a flaw in the Windows 95, NT and 98 operating system, while the new bug appears to be native to Java Web Server. Programmers at the San Diego Source have been able to exploit the new bug on versions Java Web Server 1.1.2 running under Solaris and Windows NT. One of the issues addressed in Java Web Server 1.1.2 was the "%20" bug. Rob Clark, project lead for Sun's JavaWeb Server, said the bug potentially affects all versions of Java Web Server numbered 1.1 or later and is a completely separate issue than earlier bugs affecting products running under Microsoft Windows. "The end result is the same, but this bug is completely unrelated. This is not a Microsoft bug," Clark said. Clark said the bug is an unwanted side effect resulting from Java Web Server's Invoker Servlet, which allows developers to drop all servlets into a single directly and then invoke them from a tag within the Web page. The feature was intended to allow Web site developers to execute servlets with virtually no administration. Unfortunately, by entering the path to the invoker within the URL, a user is essentially able to tell the Invoker service to execute a specific file. For example, if the sample.jhtml file can be accessed by the URL www.myserver.com/sample.jhtml you can access the source code of the sample.jhtml file by using the URL www.myserver.com/servlet/file/sample.jhtml. Sun already posted a simple workaround, which involves disabling the invoker, to its Java Web Server site at jserv.java.sun.com. Such issues are important to programmers and developers creating and managing Web sites because they can reveal the scripts used to execute servlets. A servlet is a server-side Java program that uses Sun's Java Servlet API to interact with the Web server. The tags used to execute servlets are not normally visible to the end user. In most cases, such a bug wouldn't present any real security threat because the ability to view the source code of a Web page is already an option in most popular browsers. But if a page contains server-side scripts, which commonly are used to interact with servlets and company databases, user names and passwords could be revealed. Clark said versions of Java Web Server older than 1.1 are not vulnerable to the new bug.


July 20, 1998

July 24, 1998

July 27, 1998