From warchild@spoofed.org Mon Sep 22 01:14:38 2003
Date: Mon, 22 Sep 2003 01:14:38 -0400
From: Jon Hart <warchild@spoofed.org>
To: security-alert@sun.com
Subject: Information disclosure with SMC webserver on Solaris 9
Message-ID: <20030922051438.GB15803@spoofed.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.4i
Status: RO
Content-Length: 2816
Lines: 71

Hi,

I was playing around with the Sun Management Console (SMC) webserver
that runs on port 898 on Solaris 9, and noticed an interesting but
disturbing fact with its 404 error messages.

The quick summary is that it returns different 404 errors depending on
where in the code the webserver decides to call sendError().  If the
file requested by the user does not exist, then the following is called:

        httpservletresponse.sendError(404, "File Not Found<br>" + file);

which results in an error page similar to:

        Error: 404
        File Not Found
        /stuff/blah

If the file requested by the user does exist, but cannot be accessed for
a particular reason (i.e., file.getAbsolutePath() and
file.getCanonicalPath() don't match), then the following is called:
        
                httpservletresponse.sendError(404);

which results in an error page similar to:

        Error: 404
        No detailed message

Unfortunately, no checks are done to see that the requested URL doesn't
traverse out of the web root (typically /usr/sadm/lib/smc/htdocs) prior
to calls to serveDir() or serveFile(), so these two functions happily
access any path specified with root privileges.

Altho