Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Thu Feb 15 2001 - 22:27:54 CST
----- Begin Hush Signed Message from joetestahushmail.com -----
Vulnerabilities in Bajie Http JServer
Bajie Http JServer v0.78 is a Java web server available from
http://go.to/bajie and http://java.tucows.com. A vulnerability exists
which allows a remote attacker to execute any CGI script on the file
system by using relative paths (ie: '..', '...').
In addition, arbitrary shell commands can be executed if the server is
A servlet named 'UploadServlet' is installed by default which allows
anyone to upload a file to a directory outside the web root. This feature
can be combined with Bajie Http's poor CGI handling to execute arbitrary
To demonstrate this threat, upload a PERL script using the following URL:
The 'UploadServlet' servlet saves the uploaded file using the client's
hostname, IP address, and original file name. Fortunately, the servlet
responds with this new file name automatically. Type in the following URL
to execute the program:
Bajie Http does not check if a CGI program exists before executing the
PERL binary, therefore commands can be passed to a shell if the server is
running on a UNIX-based platform. This is done with the following URL:
Delete all unnecessary servlets. Edit the 'PERLEXECLOC=' line in the
'jzHttpSrv.properties' file to disable CGI support.
The author, Gang Zhang, was initially contacted via
<gzhangxhotmail.com> on Saturday, January 27, 2001. Gang verified the
vulnerabilities and expressed a willingness to issue a fix. Almost three
weeks have passed, and nothing has been released.
- Joe Testa ( e-mail: joetestahushmail.com / AIM: LordSpankatron )
----- Begin Hush Signature v1.3 -----
----- End Hush Signature v1.3 -----
\n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.