Blazix 1.2 jsp view and free protected folder access

[Auriemma Luigi <aluigi () pivx com>]

######################################################################

Auriemma Luigi, PivX security advisory 

Application: Blazix (http://www.blazix.com)
Version:     1.2 and previous
Bug:         Bad management of files requested with at the end some
             "bad" characters
Risk (low):  An attacker can view jsp and other server side scripts
             with the ability to access any password protected folders
Author:      Auriemma Luigi, Security Researcher, PivX Solutions, LLC
             e-mail: aluigi () pivx com

######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

______________________________________________________________________


1) Introduction


Blazix is a commercial webserver totally written in Java.
It has some feautures like the Ejb server (port 2050) and the admin
server (port 3010) for change some parameters and for stop or restart
the webserver.
Some functions of this server are: Servlets 2.3 usage, ION, JMS,
E-mail sending support, Cluster Management, Class Reloads, Automatic
EJB Primary Keys generation, Virtual Hosting support and other.

______________________________________________________________________


2) Bug


The bug I want to describe is one of the most diffused problems in the
current applications.
It is the problem that have some operating sytems API that open files
without checking some character that can be attached to the file name.
In Blazix the "bad" characters are '+' and '\' (NOT %2b and %5c).

With this bug we can view all the server side scripts in it and, more
dangerous, we have free access to the password protected folders.

Attention because the version 1.2.1 (released for some days) is still
vulnerable to the "password protected folder access" (only the jsp
view has been fixed in this release).

______________________________________________________________________


3) The Code


A] Jsp view examples:

http://127.0.0.1/jsptest.jsp+
http://127.0.0.1/jsptest.jsp\


B] Free protected folder access examples (bugtest is a folder that I
have created and protected with a password):

http://127.0.0.1/bugtest+/
http://127.0.0.1/bugtest\/

If you don't have a protected folder you can quickly follow these
simple steps:

   a) make a new folder called bugtest in webfiles
   b) copy webfiles\index.html in webfiles\bugtest\index.html
   c) add "role.user.url: /bugtest/*" in web.ini file
   d) close and restart the web server for load the new settings

______________________________________________________________________


4) Fix


The Blazix team has patched the server and you can see your real
version in the Readme.txt file in the Blazix folder (it is the ONLY
place where is written the real version).
Blazix 1.2.2 can be downloaded from its homepage:

http://www.blazix.com

______________________________________________________________________


5) Philosophy


I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!

______________________________________________________________________


About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.

For more information go to http://www.PivX.com


Any type of feedback is really welcome!

Byez



-- 
PivX Security Researcher