Bugtraq mailing list archives
Vulnerabilities in Bajie Http JServer
From: joetesta () HUSHMAIL COM
Date: Thu, 15 Feb 2001 20:27:54 -0800
----- Begin Hush Signed Message from joetesta () hushmail com ----- Vulnerabilities in Bajie Http JServer Overview Bajie Http JServer v0.78 is a Java web server available from http://go.to/bajie and http://java.tucows.com. A vulnerability exists which allows a remote attacker to execute any CGI script on the file system by using relative paths (ie: '..', '...'). In addition, arbitrary shell commands can be executed if the server is UNIX-based. Details A servlet named 'UploadServlet' is installed by default which allows anyone to upload a file to a directory outside the web root. This feature can be combined with Bajie Http's poor CGI handling to execute arbitrary PERL programs. To demonstrate this threat, upload a PERL script using the following URL: http://localhost/upload.html The 'UploadServlet' servlet saves the uploaded file using the client's hostname, IP address, and original file name. Fortunately, the servlet responds with this new file name automatically. Type in the following URL to execute the program: http://localhost/cgi/bin//...//upload/[file name] Bajie Http does not check if a CGI program exists before executing the PERL binary, therefore commands can be passed to a shell if the server is running on a UNIX-based platform. This is done with the following URL: http://localhost/cgi/bin/test.txt;%20[shell command] Solution First vulnerability: Delete all unnecessary servlets. Edit the 'PERLEXECLOC=' line in the 'jzHttpSrv.properties' file to disable CGI support. Second vulnerability: None. Vendor Status The author, Gang Zhang, was initially contacted via <gzhangx () hotmail com> on Saturday, January 27, 2001. Gang verified the vulnerabilities and expressed a willingness to issue a fix. Almost three weeks have passed, and nothing has been released. - Joe Testa ( e-mail: joetesta () hushmail com / AIM: LordSpankatron ) ----- Begin Hush Signature v1.3 ----- Hpcq51thWehPYBFyGd6HDfCnQ99EAqSme8Vwa7cz3aoMSMPMacq3Ex+1IA6+8s1kw/xr WwLAemxNnR1toIh9geTpOASqGBrCNhMBBc23AUhdQSs4nZk48CM2zek7V2jz0fXls2Ox ahn5F/A2qkZnq1hIfIMZLt5NG106VI2rQbu6AgDo1kzD7VSZLdF0n7s3kJwcRTCexByQ jtxjCCoP25R9j1WYARl5zlBr2ulwsa9eOz/9UWl/Gq8kGB+CtdNpxSFIoxgO1wu68xY/ fZzicm3uqRyVPpNPpfkCZqmBvdwOpDb03RWL3JkGzzP2s15txISJ31N7IFs8gHLT/6xi eqciatOeTUSPuXWxRqykspEVDcD/e3ku+CR+4eYWOCO1b//P8fu5EBNxEYJy4yOtc+3V uRmBfz/G3WZNM/eoyVjd0kNlXiXTNI4o9MwwYVpT3MsQsEGFuJxowsUNmyYkl7jER1X+ +JKO6ti46HP7KkArhVB960kFMQCqKfhBzfZ0MYmWDmVf ----- End Hush Signature v1.3 ----- \n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n
Current thread:
- Vulnerabilities in Bajie Http JServer joetesta (Feb 15)