CVE-2003-0411
CVSS5.0
发布时间 :2003-06-30 00:00:00
修订时间 :2016-10-17 22:33:41
NMCOES    

[原文]Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension.


[CNNVD]Sun ONE Application Server源泄露漏洞(CNNVD-200306-115)

        Windows 2000/XP平台下的Sun ONE Application Server 7.0存在漏洞。远程攻击者可以借助一个用大写“.JSP”扩展名代替小写.jsp的请求获得JSP源代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sun:one_application_server:7.0::standard
cpe:/a:sun:one_application_server:7.0::platform

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0411
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0411
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-115
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105409846029475&w=2
(UNKNOWN)  BUGTRAQ  20030526 Multiple Vulnerabilities in Sun-One Application Server
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F55221&zone_32=category%3Asecurity
(VENDOR_ADVISORY)  SUNALERT  55221
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000610.1-1
(UNKNOWN)  SUNALERT  1000610
http://www.ciac.org/ciac/bulletins/n-103.shtml
(VENDOR_ADVISORY)  CIAC  N-103
http://www.iss.net/security_center/static/12093.php
(VENDOR_ADVISORY)  XF  sunone-jsp-source-disclosure(12093)
http://www.securityfocus.com/bid/7709
(VENDOR_ADVISORY)  BID  7709
http://www.spidynamics.com/sunone_alert.html
(UNKNOWN)  MISC  http://www.spidynamics.com/sunone_alert.html

- 漏洞信息

Sun ONE Application Server源泄露漏洞
中危 输入验证
2003-06-30 00:00:00 2005-10-20 00:00:00
远程  
        Windows 2000/XP平台下的Sun ONE Application Server 7.0存在漏洞。远程攻击者可以借助一个用大写“.JSP”扩展名代替小写.jsp的请求获得JSP源代码。

- 公告与补丁

        A new version has been released to address this issue.
        Sun ONE Application Server 7.0 Platform Edition
        
        Sun ONE Application Server 7.0 UR1 Platform Edition
        
        Sun ONE Application Server 7.0 Standard Edition
        
        Sun ONE Application Server 7.0 UR1 Standard Edition
        

- 漏洞信息 (22664)

Sun ONE Application Server 7.0 Source Disclosure Vulnerability (EDBID:22664)
windows remote
2003-05-27 Verified
0 SPI Labs
N/A [点击下载]
source: http://www.securityfocus.com/bid/7709/info

Sun ONE Application Server is prone to a source code disclosure vulnerability. This issue is due to handling of case in requests for resources. By changing the case of a file extension, the server may fail to interpret the script and instead serve it as a normal web resource.

This issue exists for Sun ONE Application Server 7.0 on Microsoft Windows platforms. Previous versions may also be affected. 

GET /[script].JSP HTTP/1.0

where [script] is the name of a script hosted by the server. 		

- 漏洞信息

11709
Sun ONE Application Server Upper Case Request JSP Source Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2003-05-26 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 7.0 Update Release 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun ONE Application Server Source Disclosure Vulnerability
Input Validation Error 7709
Yes No
2003-05-27 12:00:00 2009-07-11 10:06:00
Discovery of this issue is credited to "SPI Labs" <spilabs@spidynamics.com>.

- 受影响的程序版本

Sun ONE Application Server 7.0 UR1 Standard Edition
Sun ONE Application Server 7.0 UR1 Platform Edition
Sun ONE Application Server 7.0 Standard Edition
Sun ONE Application Server 7.0 Platform Edition
Sun ONE Application Server 7.0 UR2 Standard Edition
Sun ONE Application Server 7.0 UR2 Platform Edition

- 不受影响的程序版本

Sun ONE Application Server 7.0 UR2 Standard Edition
Sun ONE Application Server 7.0 UR2 Platform Edition

- 漏洞讨论

Sun ONE Application Server is prone to a source code disclosure vulnerability. This issue is due to handling of case in requests for resources. By changing the case of a file extension, the server may fail to interpret the script and instead serve it as a normal web resource.

This issue exists for Sun ONE Application Server 7.0 on Microsoft Windows platforms. Previous versions may also be affected.

- 漏洞利用

This issue may be exploited with a web browser. For example:

GET /[script].JSP HTTP/1.0

where [script] is the name of a script hosted by the server.

- 解决方案

A new version has been released to address this issue.


Sun ONE Application Server 7.0 Platform Edition

Sun ONE Application Server 7.0 UR1 Platform Edition

Sun ONE Application Server 7.0 Standard Edition

Sun ONE Application Server 7.0 UR1 Standard Edition

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站