OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Thu Feb 15 2001 - 22:27:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerabilities in Bajie Http JServer

        Overview

    Bajie Http JServer v0.78 is a Java web server available from
    http://go.to/bajie and http://java.tucows.com. A vulnerability exists
    which allows a remote attacker to execute any CGI script on the file
    system by using relative paths (ie: '..', '...').

    In addition, arbitrary shell commands can be executed if the server is
    UNIX-based.

        Details

    A servlet named 'UploadServlet' is installed by default which allows
    anyone to upload a file to a directory outside the web root. This feature
    can be combined with Bajie Http's poor CGI handling to execute arbitrary
    PERL programs.

    To demonstrate this threat, upload a PERL script using the following URL:

            http://localhost/upload.html

    The 'UploadServlet' servlet saves the uploaded file using the client's
    hostname, IP address, and original file name. Fortunately, the servlet
    responds with this new file name automatically. Type in the following URL
    to execute the program:

            http://localhost/cgi/bin//...//upload/[file name]

    Bajie Http does not check if a CGI program exists before executing the
    PERL binary, therefore commands can be passed to a shell if the server is
    running on a UNIX-based platform. This is done with the following URL:

            http://localhost/cgi/bin/test.txt;%20[shell command]

        Solution

    First vulnerability:
        Delete all unnecessary servlets. Edit the 'PERLEXECLOC=' line in the
    'jzHttpSrv.properties' file to disable CGI support.

    Second vulnerability:
        None.

        Vendor Status

        The author, Gang Zhang, was initially contacted via
    <gzhangxhotmail.com> on Saturday, January 27, 2001. Gang verified the
    vulnerabilities and expressed a willingness to issue a fix. Almost three
    weeks have passed, and nothing has been released.

        - Joe Testa ( e-mail: joetestahushmail.com / AIM: LordSpankatron )

    ----- Begin Hush Signature v1.3 -----
    Hpcq51thWehPYBFyGd6HDfCnQ99EAqSme8Vwa7cz3aoMSMPMacq3Ex+1IA6+8s1kw/xr
    WwLAemxNnR1toIh9geTpOASqGBrCNhMBBc23AUhdQSs4nZk48CM2zek7V2jz0fXls2Ox
    ahn5F/A2qkZnq1hIfIMZLt5NG106VI2rQbu6AgDo1kzD7VSZLdF0n7s3kJwcRTCexByQ
    jtxjCCoP25R9j1WYARl5zlBr2ulwsa9eOz/9UWl/Gq8kGB+CtdNpxSFIoxgO1wu68xY/
    fZzicm3uqRyVPpNPpfkCZqmBvdwOpDb03RWL3JkGzzP2s15txISJ31N7IFs8gHLT/6xi
    eqciatOeTUSPuXWxRqykspEVDcD/e3ku+CR+4eYWOCO1b//P8fu5EBNxEYJy4yOtc+3V
    uRmBfz/G3WZNM/eoyVjd0kNlXiXTNI4o9MwwYVpT3MsQsEGFuJxowsUNmyYkl7jER1X+
    +JKO6ti46HP7KkArhVB960kFMQCqKfhBzfZ0MYmWDmVf
    ----- End Hush Signature v1.3 -----
    \n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n

    IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.