| Ãë¾àÁ¡ID |
22106 |
| À§Çèµµ |
30 |
| Æ÷Æ® |
80, ... |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
Servlet |
| »ó¼¼¼³¸í |
ÇØ´ç À¥ ¼¹ö´Â 'WEB-INF' µð·ºÅ丮ÀÇ ³»¿ëÀÌ ³ëÃâµÇ´Â Ãë¾àÁ¡À» °¡Áö°í ÀÖ´Ù.
À¥ ¾îÇø®ÄÉÀ̼ÇÀº ÀϹÝÀûÀ¸·Î .WAR ¶ó´Â À¥ ¾îÇø®ÄÉÀÌ¼Ç ¾ÆÄ«À̺ê·Î ÆÐÅ°ÁöµÇ¾î ÇϳªÀÇ ÆÄÀÏÇüÅ·Π¹èÆ÷µÇ´Â µ¥ ÀÌ·¸°Ô ÆÐÅ°ÁöµÇ´Â ÆÄÀϵ鿡´Â Ç¥ÁØ ±¸Á¶°¡ Á¸ÀçÇÑ´Ù. Ç¥ÁØ ÆÐÅ°Áö ¾ÈÀÇ 'WEB-INF' µð·ºÅ丮´Â À¥ ¾îÇø®ÄÉÀÌ¼Ç È¯°æ¼³Á¤ Á¤º¸¿Í ÀÚ¹Ù class ÆÄÀϵéÀÌ À§Ä¡Çϴ Ưº°ÇÑ µð·ºÅ丮·Î ±× Á߿伺 ¶§¹®¿¡ Ŭ¶óÀ̾ðÆ®ÀÇ Á÷Á¢ÀûÀÎ Á¢±ÙÀÌ ºÒ°¡´ÉÇÏ´Ù. ÀÌ ¶§¹®¿¡, ¼¹ö´Â /WEB-INF/¿¡ ´ëÇÑ Á÷Á¢ ¿äû¿¡ ´ëÇؼ ´ë°³ '403 forbidden' À̳ª ½ÉÁö¾î´Â '404 Not Found' µîÀÇ HTTP ¿¡·¯ ¸Þ½ÃÁö¸¦ ¹ÝȯÇÑ´Ù.
ƯÈ÷, WEB-INF µð·ºÅ丮 ÇÏÀÇ "Deployment Descriptor" ¶ó°í ºÒ¸®´Â web.xml ÆÄÀÏÀº URL ¸ÅÇÎ, ¼ºí¸´ µî·ÏÁ¤º¸, welcome ÆÄÀÏ ¸ñ·Ï, MIME Çü½Ä, ¿¡·¯ ÆäÀÌÁö, security µî À¥ ¼¹ö¿¡ ´ëÇÑ ±¸Ã¼ÀûÀÎ deployment Á¤º¸ ¹× ȯ°æ ¼³Á¤ Á¤º¸µéÀ» ´ã°í ÀÖ´Ù.
±×·¯³ª, ÀÌó·³ Á¢±ÙÀÌ Â÷´ÜµÇ¾î ÀÖ´Â 'WEB-INF' µð·ºÅ丮µµ ´ÙÀ½ ¿¹¿Í °°ÀÌ WEB-INF µÚ¿¡ '.' ¸¦ »ðÀÔÇÑ URLÀ» ¿äûÇÏ´Â °æ¿ì¿¡, WEB-INF µð·ºÅ丮 ÇÏ¿¡ ÀÖ´Â ÀÓÀÇÀÇ ÆÄÀÏ ³»¿ëÀ» º¼ ¼ö ÀÖ°Ô µÈ´Ù.
¿¹] www.someserver.com/WEB-INF./web.xml
¶Ç´Â www.someserver.com/WEB-INF./classes/MyServlet.class
ÀÌ·± ¹æ¹ýÀ¸·Î .java , .class ÆÄÀÏÀ» ´Ù¿î·ÎµåÇÒ ¼ö ÀÖ°í web.html ÆÄÀÏÀ̳ª ±âŸ ȯ°æ¼³Á¤ ÆÄÀÏÀ» Á¢±ÙÇÒ ¼ö ÀÖÀ¸¸ç Ưº°ÇÑ °æ¿ì¿¡´Â Ŭ¶óÀ̾ðÆ® ¼¼¼Ç Á¤º¸¿¡ ´ëÇÑ Á¢±Ùµµ °¡´ÉÇÏ´Ù.
ÀÌ Ãë¾àÁ¡Àº ´ÙÀ½°ú °°Àº ´Ù¼öÀÇ Win32 ¹öÀü ¼ºí¸´ ¿£Áø/¾îÇø®ÄÉÀÌ¼Ç ¼¹ö¿¡¼ ¹ß°ßµÈ´Ù.
* Ãë¾àÇÑ Á¦Ç° :
Sybase EA Server 4.0 ( www.sybase.com )
OC4J - Oracle Containers for J2EE ( www.oracle.com )
Orion 1.5.3 - ( www.orionserver.com ).
JRun 3.0, 3.1 and JRun 4 - Macromedia / Allaire JRun ( www.macromedia.com )
HPAS 8.0 - Hewlett Packard App Server ( www.bluestone.hp.com )
Pramati 3.0 - Pramati App Server ( www.pramati.com )
Jo - Jo Webserver ( http://sourceforge.net/projects/tagtraum-jo/ ¶Ç´Â www.tagtraum.de ) |
| ÇØ°áÃ¥ |
ÀÌ Ãë¾àÁ¡À» º¸¿ÏÇÑ ¹öÀüÀ¸·Î ¾÷±×·¹À̵åÇϰųª ½Ã½ºÅÛ¿¡ µû¶ó ÀûÀýÇÑ ÆÐÄ¡¸¦ ¼³Ä¡ÇØ¾ß ÇÑ´Ù.
* Sybase EA Server :
Upgrade to EAServer 4.1 (also fixed in maintenane release for 3.6.1)
* OC4J - Oracle Containers for J2EE :
Fixed in the latest version of OC4J / 9iAS. Download OC4J from:
http://www.oracle.com/technetwork/middleware/ias/downloads/utilsoft-090603.html
* Jrun 3.0, 3.1, 4.0
ÃֽŠ¹öÀüÀÇ JrunÀ¸·Î ¾÷±×·¹À̵å ÇؾßÇÑ´Ù.
Https://www.adobe.com/products/jrun/download/
* HPAS 8.0
Will be fixed in Maintenance Pack 8 (MP8)
* Pramati App Server
Fixes will be available in Service Pack 1.
* Jo Webserver
Fixed in version 1.0b7 and later.
Http://sourceforge.net/projects/tagtraum-jo/ |
| °ü·Ã URL |
CVE-2002-1855,CVE-2002-1856,CVE-2002-1857,CVE-2002-1858,CVE-2002-1859,CVE-2002-1860,CVE-2002-1861 (CVE) |
| °ü·Ã URL |
5119 (SecurityFocus) |
| °ü·Ã URL |
9446 (ISS) |
|
